ToolShell is a critical zero-day vulnerability (CVE-2025-53770, CVSS 9.8) in Microsoft SharePoint Server that is actively being exploited in active, large-scale attacks against large-scale organizations.

This variant of the previously patched CVE-2025-49706 (CVSS 6.3), allows unauthenticated remote code execution (RCE) by abusing how SharePoint deserializes untrusted data. Attackers can execute commands before authentication, steal cryptographic machine keys, forge trusted payloads, and persist or move laterally while blending into legitimate SharePoint activity, making detection and response challenging.

Microsoft Security Response Center has published patches for this critical vulnerability on July 20, 2025. In their advisory, Microsoft credited Viettel Cyber Security, working through Trend Micro’s Zero Day Initiative (ZDI), for discovering and responsibly reporting the critical security flaw.

Executive Summary

Improper authentication in Microsoft SharePoint permits a remote attacker to exploit deserialization vulnerabilities, achieve unauthorized access, and execute arbitrary commands on vulnerable servers.

Affected Versions

• Microsoft SharePoint Server 2019 (16.0.10417.20027)
• Microsoft SharePoint Enterprise Server 2016 (16.0.5508.1000)
• Microsoft SharePoint Server Subscription Edition
• Microsoft SharePoint Enterprise Server 2019
• Microsoft SharePoint Enterprise Server 2016
• Organizations using SharePoint Online in Microsoft 365 are not affected.

ToolShell Attack Chain

An unauthenticated RCE exploit chain in SharePoint was demonstrated to be reproducable using a combination of two bugs presented at Pwn2Own Berlin earlier in May 2025: CVE-2025-49706 & CVE-2025-49704. The attack chain was dubbed ToolShell.

• Attackers send specially crafted POST requests to exploit the deserialization weakness.

• Attackers extract .NET MachineKey (ValidationKey and DecryptionKey), enabling them to forge valid __VIEWSTATE payloads for persistent RCE.

• Campaigns have been observed chaining CVE-2025-49706 and CVE-2025-49704 (“ToolShell”) to gain and maintain control.

At least 85 servers across 29 organizations, including multinational corporations and government entities, have already been compromised, often via malicious ASPX web shells delivered through PowerShell.

Immediate Actions for Community Defenders

Microsoft and CISA recommend the following critical actions:

• Upgrade to supported versions of SharePoint Server if running unsupported builds.

• If using Microsoft SharePoint Server 2016, 2019, or SharePoint Subscription Edition, apply the applicable July 20, 2025 Security Patch from the Microsoft Security Response Center.

• Ensure Antimalware Scan Interface (AMSI) is enabled and properly configured. If AMSI cannot be enabled, disconnect affected servers from public internet exposure until mitigations are applied according to CISA and vendor guidance.

Detection and Monitoring

Organizations should actively monitor their SharePoint environments for indicators of compromise:

• File Creation: Look for the creation of spinstall0.aspx in the MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS directory, which indicates successful exploitation, according to Microsoft Security Response Center.
• Atypical HTTP Requests: Monitor for unusual POST requests targeting /_layouts/15/ToolPane.aspx and HTTP requests with /_layouts/SignOut.aspx as the referer header, as described by CISA.
• Suspicious IP Addresses: Scan for connections to the following IP addresses, particularly between July 18 and 19, 2025: 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, according to CISA.
• Hash Indicators: Check for presence of file hashes that are have been identified as indicators of compromise by Palo Alto Networks:

  SHA256: 4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030
  SHA256: b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70
  SHA256: fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7
  

  Advanced Hunting Queries
  Microsoft has provided sample queries for advanced hunting in Microsoft 365 Defender to detect exploitation activities:

  DeviceFileEvents
  | where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
  | where FileName =~ "spinstall0.aspx"
  or FileName has "spinstall0"
  | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
  | order by Timestamp desc

  This query helps identify the creation of the spinstall0.aspx file, a known indicator of exploitation, according to Microsoft Security Response Center.

  

  CISA also provides the following recommendations:

  • BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog, a dynamic list of Common Vulnerabilities and Exposures (CVEs) that pose significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate listed vulnerabilities by their specified due dates to protect FCEB networks from active threats.

  • Update intrusion prevention and web application firewall rules to block exploit patterns and anomalous behavior. See CISA’s SIEM and SOAR implementation guidance.

  • Implement comprehensive logging and monitoring as recommended in CISA’s Best Practices for Event Logging and Threat Detection.

  Why This Matters

  

  For many organizations, SharePoint is a critical platform for collaboration and document management that supports employees, partners, and clients. This vulnerability jeopardizes the confidentiality, integrity, and availability of this trusted information system used by communities and organizations across the globe.

  Additional Resources

  • • CISA Advisory: July 20, 2025

    • Eye Security Group Reporting

    • Palo Alto Unit42 Analysis

  We encourage technology leaders, security professionals, and researchers to review these materials and coordinate prompt defensive actions in their respective environments.

  ---

  Prepared by a student researcher at the Center for Information Systems and Technology, Claremont Graduate University as part of ICDC’s commitment to advancing cybersecurity awareness and resilience for our community.

  ---

  Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author and do not necessarily reflect the views of the National Science Foundation.