Ep. 4: ToolShell in the Wild: SharePoint Zero-Day CVE-2025-53770 Explained

In this urgent Cyber Resilience Brief, host Tova Dvorin is joined by SafeBreach experts Adrian Culley and Tomer Bar to break down CVE-2025-53770, a critical zero-day vulnerability actively exploited in Microsoft SharePoint Server. Known as part of the ToolShell attack chain, this deserialization flaw allows unauthenticated remote code execution and persistence — and it’s already being used in the wild. We discuss: What makes this vulnerability so dangerous (hint: there's no patch for Sha...

In this urgent Cyber Resilience Brief, host Tova Dvorin is joined by SafeBreach experts Adrian Culley and Tomer Bar to break down CVE-2025-53770, a critical zero-day vulnerability actively exploited in Microsoft SharePoint Server. Known as part of the ToolShell attack chain, this deserialization flaw allows unauthenticated remote code execution and persistence — and it’s already being used in the wild.

We discuss:

• What makes this vulnerability so dangerous (hint: there's no patch for SharePoint 2016 yet)

• Why Microsoft is advising customers to assume breach

• How SafeBreach Labs responded within 24 hours with new BAS coverage

• Specific indicators of compromise (IoCs) and mitigation advice

• Why this attack demands urgent attention from security teams and CISOs alike

Whether you're a SafeBreach customer or just trying to stay ahead of emerging threats, this episode delivers the critical insights you need — fast.

🔗 For more information on today's CVE, check out our post on the SafeBreach blog.