Breaking: Critical SharePoint Vulnerability Actively Exploited in the Wild

Just hours after Eye Security broke the news about CVE-2025-53770 (dubbed "ToolShell"), a critical unauthenticated remote code execution vulnerability affecting all on-premises SharePoint servers, IRIS C2 customers already have access to a fully-featured exploitation module. While Microsoft scrambles to develop patches and organizations worldwide assess their exposure, IRIS C2 operators can immediately begin testing and securing their environments.

The vulnerability, which carries a CVSS score of 9.8, affects SharePoint Server 2016, 2019, and Subscription Edition. As of this writing, Microsoft has not released any patches, and given the nature of on-premises deployments, many organizations will remain vulnerable for weeks or even months to come.

Immediate Response: The IRIS C2 SharePoint Exploit Module

Our security research team worked through the night to deliver a production-ready module that enables:

• Automated scanning for vulnerable SharePoint servers
• One-click exploitation with full RCE capabilities
• Cryptographic key extraction for persistent access
• Complete post-exploitation framework
• Anti-forensics and evasion techniques

Automated Target Discovery

The module begins with intelligent reconnaissance, automatically identifying SharePoint installations across your target network. Our scanning engine fingerprints server versions, identifies vulnerable endpoints, and assesses the security posture of each target before exploitation attempts.

Flexible Payload Deployment

Choose from a comprehensive arsenal of payloads tailored for different operational requirements. Whether you need immediate access, persistent backdoors, or data exfiltration capabilities, the module provides pre-configured options that integrate seamlessly with IRIS C2's command and control infrastructure.

Real-Time Exploitation

Watch as the module executes the exploit chain in real-time, providing detailed feedback on each stage of the attack. The interface displays connection status, payload delivery confirmation, and immediate post-exploitation results, giving operators complete visibility into the compromise process.

Comprehensive Post-Exploitation

Once initial access is achieved, the module transitions seamlessly into post-exploitation activities. Extract sensitive data, establish persistence mechanisms, and leverage SharePoint's privileged position within the enterprise infrastructure to expand your operational footprint.

Stay Protected

The IRIS C2 team continues to monitor this evolving situation. We'll provide updates to the module as new information becomes available, including:

• Additional evasion techniques
• New IOCs from active campaigns
• Enhanced post-exploitation capabilities
• Defensive recommendations

Furthermore, we are closely monitoring efforts by defenders to fortify their systems, including the development of new YARA rules to detect this exploit. IRIS C2 is committed to keeping this module updated to overcome these defensive measures, ensuring its continued effectiveness and extending its useful service life for our operators.

For our customers, this is just another example of how IRIS C2 delivers cutting-edge capabilities when you need them most. While others are still reading about vulnerabilities, you're already equipped to exploit them.

To learn more, please contact support@IRISC2.com