ToolShell: A Critical SharePoint Exploitation Chain Hits Enterprises Globally

In July 2025, Eye Security uncovered mass exploitation of a new unauthenticated Remote Code Execution (RCE) vulnerability chain targeting on-premise Microsoft SharePoint servers. The exploit, dubbed ToolShell, was first demonstrated by Code White GmbH and later adapted for real-world attacks, making it one of the most critical SharePoint vulnerabilities since CVE-2021-28474. Microsoft assigned the identifiers CVE-2025-53770 and CVE-2025-53771 to this exploit chain.

Severity Level: Critical

Vulnerability Details

• CVE IDs:
  • CVE-2025-53770 (variant of CVE-2025-49704)
  • CVE-2025-53771 (variant of CVE-2025-49706)
• Vulnerability Type: Unauthenticated Remote Code Execution via .NET deserialization and ViewState abuse
• Exploit Chain: Authentication bypass → Arbitrary file write → Cryptographic key extraction → RCE via ViewState deserialization
• Affected Products:
  • Microsoft SharePoint Server Subscription Edition
  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016

Root Cause

• Flawed logic in SharePoint’s handling of .aspx pages allowed unauthenticated POST requests to reach ToolPane.aspx.
• The attacker manipulated the Referer header to /layouts/SignOut.aspx, which bypassed authentication controls.
• Vulnerable SharePoint pages did not validate session or token states before executing code paths allowing file uploads and ViewState deserialization.

Exploitation Of The Vulnerability

1. Initial Access: POST request to /layouts/15/ToolPane.aspx using spoofed Referer: /layouts/SignOut.aspx.
2. File Write: Attacker drops spinstall0.aspx into C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS
3. Key Extraction: The ASPX file dumps cryptographic secrets like ValidationKey, ValidationAlgorithm using internal .NET APIs.
4. RCE via ysoserial:
   • Using ysoserial.exe, attackers craft malicious ViewState payloads signed with the stolen keys.
   • Malicious payloads are executed on the server, enabling arbitrary command execution.

Mitigation

To mitigate potential attacks customers should:

• Use supported versions of on-premises SharePoint Server
• Apply the latest security updates, including the July 2025 Security Update
• Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution such as Defender Antivirus
• Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions
• Rotate SharePoint Server ASP.NET machine keys

Recommendations

1. Monitor for unauthenticated POST requests to /_layouts/15/ToolPane.aspx with the Referer header set to /_layouts/SignOut.aspx. This indicates attempted exploitation of CVE-2025-53770.
2. Look for the creation of the file spinstall0.aspx in SharePoint layout directories, specifically C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\ or C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS. This file is a known indicator of successful post-exploitation.
3. Detect w3wp.exe (IIS worker process) spawning cmd.exe and powershell.exe with encoded commands that contain references to spinstall0 or the SharePoint layout paths. This indicates post-exploitation activity to drop the web shell.
4. Configure and monitor Microsoft Defender Antivirus for detections named Exploit:Script/SuspSignoutReq.A and Trojan:Win32/HijackSharePointServer.A.
5. Pay close attention to Microsoft Defender for Endpoint alerts such as “Possible web shell installation,” “Possible exploitation of SharePoint server vulnerabilities,” “Suspicious IIS worker process behavior,” “IIS worker process loaded suspicious .NET assembly,” and alerts indicating SuspSignoutReq or HijackSharePointServer malware.
6. If you verified you are compromised, act immediately. Follow Microsoft’s advisory and make sure to:
   • Isolate or shut down affected SharePoint servers. Blocking via firewall is not enough as persistence may already exist.
   • Renew all credentials and system secrets that could have been exposed via the malicious ASPX.
   • Conduct deep forensic analysis including IIS logs and memory dumps.
   • Engage with incident response firms if internal resources are insufficient.
7. Block the IOCs at their respective controls:
   https://www.virustotal.com/gui/collection/8b041bdbcc2cb333a65c3b76c6a3280a8677bc65837f3b63220537d5fd58385e/iocs

Source:

• https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
• https://research.eye.security/sharepoint-under-siege/
• https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-07-19-Microsoft-SharePoint-vulnerabilities-CVE-2025-49704-and-49706.txt
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.