What's New in Syhunt 7.1.6.5


July 21, 2025

Syhunt Hybrid 7.1.6.5 now detects the ToolShell backdoor in SharePoint

Syhunt today released Syhunt Hybrid 7.1.6.5, an update that adds automated detection of the newly disclosed “ToolShell” backdoor (CVE-2025-53770 / CVE-2025-53771) affecting on-premises Microsoft SharePoint Servers. The enhancement is available right now to all Syhunt Hybrid customers through the standard updater.

Why this matters

Active exploitation: ToolShell has been weaponised since 18 July 2025, giving attackers unauthenticated, remote code-execution and full SharePoint content access. Organisations worldwide are racing to patch vulnerable servers after emergency Microsoft fixes and CISA alerts issued late yesterday [1]. Even after patching, security teams must verify that no malicious ToolShell artefacts were left behind in code. The Syhunt update includes checks based on the exploit source code, which Syhunt had access to, and also details provided by incident response teams who documented the compromises in real time.

Recommended actions for defenders

  1. Apply Microsoft patches to all on-prem SharePoint servers. According to Microsoft’s own guidance, the emergency fixes for the new “ToolShell” SharePoint zero-days (CVE-2025-53770 / CVE-2025-53771) are:
    1. KB5002754 for SharePoint Server 2019.
    2. KB5002768 for SharePoint Server Subscription Edition.
    3. A patch for SharePoint Server 2016 is still pending at the time of writing.
  2. Update Syhunt Hybrid to version 7.1.6.5.
  3. Run a Syhunt Dynamic scan against the server to confirm if any ToolShell backdoors have been created by attackers. Use the Application Scan (Default) hunt method.
  4. Run a Syhunt Code scan against: C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ and remove the detected backdoors (if any). Use the Application Code Scan (Default) hunt method.
  5. Rotate SharePoint Server ASP.NET machine keys (explained here).

What’s new in Syhunt Hybrid 7.1.6.5

  • DAST: New “SharePoint ToolShell” backdoor check flags live implants during web-layer testing.
  • SAST: Pattern libraries recognise the ToolShell backdoor within any source code repository, including the Web Server Extensions directory.

Contact Us

Contact