Listen to this Post
SharePoint Under Siege: The Rise of the ToolShell Exploit Chain
A dangerous new attack campaign has struck Microsoft SharePoint servers worldwide. Researchers at Eye Security have uncovered a sophisticated exploitation chain known as ToolShell, which combines two zero-day vulnerabilities — CVE-2025-53770 and CVE-2025-53771. First detected on July 18, 2025, the attack enables full remote code execution (RCE) on on-premise SharePoint servers with zero authentication, granting threat actors complete control over affected systems.
This highly advanced chain begins by exploiting older flaws demonstrated at Pwn2Own Berlin — CVE-2025-49706 and CVE-2025-49704. The attackers manipulate the SharePoint endpoint /_layouts/15/ToolPane.aspx using crafted HTTP Referer headers to bypass authentication and inject malicious PowerShell payloads. Once embedded, the malware installs a rogue ASPX file named spinstall0.aspx deep within the SharePoint directory structure. This file acts as a crypto key dumper, extracting cryptographic secrets such as the ValidationKey and DecryptionKey from the server’s configuration.
With these keys, attackers can forge valid ViewState tokens, granting them persistent backdoor access and the ability to run any command as a legitimate admin. The attack mirrors the CVE-2021-28474 flaw but is now far more dangerous due to its unauthenticated nature.
Eye Security’s scan across 8,000+ environments shows that dozens of SharePoint servers have already been compromised, especially between July 18–19, with malicious traffic traced back to IPs including 107.191.58.76 and 104.238.159.149. These operations primarily used Mozilla Firefox 120.0 user agents, indicating a deliberate effort to obfuscate identity.
Microsoft has acknowledged the severity of these exploits, issuing urgent advisories. Affected organizations are strongly advised to isolate infected servers, rotate all keys, and conduct full forensic audits. Simply shutting down access won’t stop the threat — attackers may have already planted persistent backdoors.
This breach highlights the growing danger of RCE exploits combined with cryptographic key theft, turning even well-secured enterprise environments into sitting targets. As organizations scramble to respond, ToolShell serves as a chilling reminder of how fast, deep, and silent modern cyberattacks can go.
What Undercode Say: A Deeper Look Into the ToolShell Threat
Exploitation Through Legacy Vulnerabilities
ToolShell’s power lies in its creative re-use of CVE-2025-49706 and CVE-2025-49704, both previously demonstrated at hacking contests like Pwn2Own. Instead of relying on new zero-days, attackers stitched together known weaknesses to bypass authentication layers. This reflects a growing trend in vulnerability chaining, where older bugs become lethal when combined in new ways.
Weaponization of SharePoint Functionality
The use of /_layouts/15/ToolPane.aspx and /_layouts/SignOut.aspx is particularly clever. The SignOut endpoint typically terminates sessions, but in this case, it misleads SharePoint into allowing unauthorized access. By forging the Referer header, the attackers trick the system into believing a legitimate user is modifying configuration, bypassing normal checks.
Deployment of Fileless Malware Components
ToolShell doesn’t rely heavily on dropping binary malware. Instead, it deploys an ASPX backdoor (spinstall0.aspx) that uses PowerShell and .NET reflection to operate in-memory. This means many traditional antivirus tools may fail to detect the intrusion.
Extraction of Cryptographic Secrets
What makes ToolShell especially dangerous is its ability to steal the MachineKey configuration. The ValidationKey and DecryptionKey are critical to ViewState integrity in ASP.NET. With these, attackers can forge authenticated requests without needing real credentials. This turns every exploit into a persistent RCE vector, mimicking legitimate traffic.
Abuse of ysoserial and ViewState Forgery
Armed with stolen crypto keys, attackers use ysoserial, a popular tool for generating malicious .NET payloads. These payloads, signed with stolen keys, get executed as if they were issued by SharePoint itself. This approach echoes CVE-2021-28474, but ToolShell takes it further by completely skipping the authentication phase.
Global Spread and Operational Complexity
The use of common user agents like Mozilla Firefox 120.0 and wide-ranging IP addresses shows operational sophistication. These aren’t random hackers — this is likely the work of an organized APT group. The fact that the campaign was detected across multiple continents in a single day implies pre-planned, coordinated deployment.
Microsoft’s Emergency Response
Microsoft’s confirmation of CVE-2025-53770 and CVE-2025-53771 validates the exploit’s legitimacy. The tech giant rarely issues advisories without deep vetting. This means enterprises need to treat this with the highest urgency, rotating all cryptographic material and scanning for unauthorized ASPX files in critical directories.
Long-Term Impact on Enterprise Security
Organizations using on-premise SharePoint are now at a serious disadvantage. Unlike cloud-hosted environments that get automatic patches and behavioral analytics, many on-prem setups lack real-time threat detection. This makes ToolShell a perfect storm for legacy enterprises, especially those in government, legal, and finance sectors.
Forensic Challenges and Hidden Persistence
Even after patching, ToolShell leaves behind residual backdoors, particularly those linked to ViewState abuse. Attackers can regenerate access at any time unless crypto keys are fully rotated. Forensic teams must hunt for indicators like the spinstall0.aspx hash (SHA256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514) to identify infected environments.
Industry-Wide Implications
ToolShell signals a new chapter in post-authentication exploit development, where crypto theft and legacy endpoint manipulation become core tactics. It’s no longer enough to secure your credentials — you must secure your server’s foundational secrets.
🔍 Fact Checker Results
✅ Microsoft has confirmed CVE-2025-53770 and CVE-2025-53771 as actively exploited.
✅ Crypto key extraction via ViewState forgery is consistent with past .NET exploits.
✅ The campaign was verified across multiple organizations using Eye Security telemetry.
📊 Prediction
Expect rapid adoption of ToolShell techniques across cybercrime groups due to its unauthenticated access and persistent backdoors. Legacy SharePoint environments will face increased probing in coming months, especially those not updated to address the new CVEs. Security vendors may rush to develop ViewState token analyzers and real-time crypto integrity checkers to mitigate the growing threat.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
