ToolShell; MS SharePoint vulnerability

08 Aug 2025

ToolShell; MS SharePoint vulnerability


Situation

On the 7th of July 2025 researchers from Check Point identified the first signs of exploitation of a critical Sharepoint zero-day vulnerability (CVE-2025-53770/CVE-202553771). The vulnerability dubbed ‘ToolShell’ was actively exploiting on premise SharePoint Servers. Attackers using ToolShell were actively targeting government, telecom, software, financial, education, healthcare and energy sectors in North America, Western Europe and other regions. A threat actor referred to by Microsoft as ‘Storm-2603’ has pivoted from mere espionage to extortion through ransomware.

Problem

CVE-2025-53770 is a patch bypass of an earlier RCE vulnerability (CVE-2025-49704), and it is often chained with an authentication bypass bug (CVE-2025-53771, bypassing CVE-2025-49706). CVE-2025-53771 is considered a variant of the “ToolShell” zero-day vulnerability (CVE-2025-53770) and classified as a Server Spoofing Vulnerability. CVE-2025-53770 is especially dangerous because it allows for remote code execution (RCE), meaning attackers can run any command or program on the vulnerable server without logging in. The vulnerabilities take advantage of how SharePoint handles certain types of data, and can be launched remotely just by sending a specially crafted web request.

Risk

Successful exploitation of CVE-2025-53770 gives attackers full control over the system, including deploying web shells, executing arbitrary code, and accessing sensitive content. This gives attackers dangerous access to critical information, can lead to data exfiltration, further proliferation of the attacker’s access in the network through lateral movement thus broadening the attackers landscape to launch malware. ASP.NET MachineKeys are stolen and used to maintain persistent access even after patching the server.

Impact

The impact of this vulnerably is enormous, it has rapidly escalated causing multiple incidents, such as the launch of Warlock ransomware by threat actor group Storm-2603, confirmed compromised of governments and critical infrastructures which can lead to major disruptions in affected nations.

Mitigation/Prevention

Due to the severity of this vulnerability and the active exploitation it is recommended to patch SharePoint servers as soon as possible. In severe cases going offline to prevent (further) exploitation may be required. Microsoft has released patches for Sharepoint Subscription Edition (KB5002768), SharePoint Server 2019 (KB5002754), SharePoint 2016 (KB5002760). SharePoint servers that are no longer supported (EOL/EOS) by Microsoft should be removed from internet access. Additionally, it is recommended to:

  • Rotate ASP.NET machine keys twice and restart IIS after patching,
  • to invalidate any stolen keys.
  • Enable Windows Antimalware Scan Interface (AMSI) on SharePoint servers, the AMSI integration functionality is designed to prevent malicious web requests from reaching SharePoint endpoints.
  • Block malicious POST requests with Web Application Firewall (WAF) or IPS rules, especially those with Content-Type: application/octet-stream or requests to ToolPane.aspx endpoints;
  • Conduct audits to minimize SharePoint layout and administrative privileges;
  • Ensure Anti-virus and EDR solutions are in place throughout the network, to detect malicious code and prevent malicious actions.

IOC’s
  • aspx in SharePoint TEMPLATE\LAYOUTS directories (e.g. version 15 or 16). SHA‑256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
  • Additional malicious domain handles, such as debug_dev.js (PowerShell output) and info3.aspx
  • Unusual .aspx/.ashx files appearing in SharePoint virtual directories
  • POST request to /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx with a Referer: /_layouts/SignOut.aspx
  • Subsequent GET request to /layouts/15/spinstall0.aspx
  • HTTP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
  • Abnormally large or malformed __VIEWSTATE payloads in requests
  • Network traffic or connections to the following IPs observed during and shortly after exploitation (esp. mid‑July 2025):
    • 191.58[.]76
    • 238.159[.]14
    • 9.125[.]147
    • Other seen addresses: 103.186.30[.]186, 45.77.155[.]170, 139.144.199[.]41, 172.174.82[.]132
  • Instances of w3wp.exe spawning embedded/encoded PowerShell (e.g. cmd.exe /c powershell.exe -EncodedCommand …) targeting LAYOUTS paths or spinstall0 extraction routines

Links
https://www.bitsight.com/blog/toolshell-threat-brief-sharepoint-rce-vulnerabilities-cve-2025-53770-53771-explained 
https://blog.checkpoint.com/research/sharepoint-zero-day-cve-2025-53770-actively-exploited-what-security-teams-need-to-know
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-rce-vulnerability-microsoft-sharepoint-server-cve-2025-53770ce
https://socradar.io/toolshell-sharepoint-zero-day-cve-2025-53770/
https://www.security.com/threat-intelligence/toolshell-zero-day-sharepoint-cve-2025-53770
https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/configure-amsi-integration
Note: this component is only available for the blocks: platinum