On July 19, 2025, Microsoft announced the discovery of CVE-2025-53770, a critical zero-day Remote Code Execution vulnerability affecting various versions of SharePoint Server, with a CVSS score of 9.8. This vulnerability, caused by improper deserialization of untrusted data, allows remote attackers to execute arbitrary code and access cryptographic machine keys, enabling persistent unauthorized access. The exploit chain, known as "ToolShell," involves stages of authentication bypass, remote code execution, and long-term access retention, making it particularly threatening. Following its demonstration at the Pwn2Own competition, threat actors have been observed exploiting this vulnerability, prompting Cloudflare to develop and deploy emergency Web Application Firewall (WAF) Managed Rules to mitigate the threat. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog with an urgent remediation deadline, emphasizing the need for organizations with on-premise SharePoint servers to assume possible compromise and take immediate action.