ToolShell zero-days exploited against SharePoint servers

Threat actors are racing to weaponize ToolShell, a pair of zero‑day vulnerabilities in Microsoft SharePoint Server. ESET Research observed widespread exploitation beginning July 17, 2025, with both opportunistic criminals and China‑aligned APTs involved. While SharePoint Online is unaffected, on‑premises deployments face heightened risk of credential bypass, lateral movement, and data theft.

What is ToolShell and who’s at risk

• CVE‑2025‑53770: Remote code execution (RCE)
• CVE‑2025‑53771: Server spoofing
• Affected: On‑prem SharePoint Subscription Edition, 2019, and 2016
• Not affected: SharePoint Online (Microsoft 365)
• Status: As of July 22, 2025, both ToolShell CVEs are patched; exploitation continues against unpatched servers

How the attacks unfold

• Actors frequently chain four flaws: CVE‑2025‑49704, CVE‑2025‑49706, CVE‑2025‑53770, and CVE‑2025‑53771
• Bypass MFA and SSO, then drop webshells to execute commands (via cmd.exe) and exfiltrate data

Observed payloads

• spinstall0.aspx (tracked as MSIL/Webshell.JS)
• Additional simple ASP webshells: ghostfile346.aspx, ghostfile399.aspx, ghostfile807.aspx, ghostfile972.aspx, ghostfile913.aspx

Timeline and scope

• First exploit attempt detected July 17 in Germany (blocked); first payload observed July 18 on a server in Italy
• Global activity observed; the US is the top target by volume (13.3% of attacks)
• Numerous attacking IPs across multiple hosting providers (e.g., The Constant Company/Vultr, DigitalOcean, BL Networks, Kaopu Cloud, xTom)

APT involvement

• Microsoft reports multiple China‑aligned actors exploiting the chain
• ESET detected a LuckyMouse‑linked backdoor on a Vietnam machine targeted via ToolShell; whether it was pre‑existing or introduced during this wave is still being evaluated

Why it matters

• SharePoint’s deep integration with Office, Teams, OneDrive, and Outlook means a single compromise can grant broad access across an organization’s Microsoft ecosystem

Immediate actions (Microsoft guidance)

• Run only supported SharePoint Server versions
• Apply the latest security updates without delay
• Ensure Antimalware Scan Interface (AMSI) is enabled and correctly configured with an appropriate security solution
• Rotate SharePoint Server ASP.NET machine keys

MITRE ATT&CK techniques observed

• Initial Access — T1190: Exploit Public‑Facing Application
• Execution — T1059.003: Windows Command Shell
• Persistence — T1505.003: Web Shell
• Collection — T1005: Data from Local System

IoCs (samples)

• File: spinstall0.aspx — SHA‑1 F5B60A8EAD96703080E73A1F79C3E70FF44DF271 — detected as MSIL/Webshell.JS
• Multiple attacker IPs active between July 17–22, 2025; see ESET’s GitHub for the complete IoC list

Source: WeLiveSecurity