Ep 4. ToolShell in the Wild: SharePoint Zero-Day CVE-2025-53770 Explained

In this special episode, host Tova Dvorin sits down with SafeBreach experts Adrian Culley and Tomer Bar to unpack CVE-2025-53770 — a zero-day deserialization flaw in Microsoft SharePoint Server that enables unauthenticated remote code execution and long-term persistence.

This isn’t theoretical. It’s actively exploited and tied to the evolving ToolShell attack chain.

Here’s what you’ll hear in this episode:

• Why this zero-day is different — and why Microsoft is advising teams to assume breach
• No patch for SharePoint 2016 yet — what that means for defenders
• How SafeBreach Labs delivered BAS coverage in under 24 hours
• Key IoCs to monitor now
• Lateral movement risks and potential footholds that attackers can maintain
• What CISOs should do immediately to validate whether this is already in their environment

The threat landscape just shifted—and this vulnerability puts Microsoft collaboration environments at the center of it. If your team uses SharePoint, this brief is essential.

00:00 Intro

01:49 Severity and Implications of the Vulnerability

05:05 Mitigation Strategies

06:40 Security Research

09:46 Final Thoughts