An Exploit Built in Multiple Stages Raises Concerns About ToolShell
Was ToolShell giving attackers not just a single advantage, but a double one? The specific nature of this attack targeting on-premises SharePoint servers makes such a scenario plausible, and the chronological sequence of events seems to support this hypothesis.
A Multi-Phase Attack Strategy
Let’s revisit the timeline, starting on May 16, 2025. During the Pwn2Own cybersecurity conference, a security researcher demonstrated that it is possible to compromise SharePoint by exploiting two separate vulnerabilities simultaneously.
One of these vulnerabilities, later assigned CVE-2025-49706, allows an attacker to bypass authentication on ToolPane. This endpoint, designed for site configuration and management, inspects the Referer header in incoming requests. If the Referer points to the default SignOut.aspx URL—which indicates a user has just logged out—the system assumes the session has ended properly and grants access by setting AllowAnonymous to “true”.
The second vulnerability, now identified as CVE-2025-49704, resides within the DataSetSurrogateSelector class. This component is responsible for filtering allowed data types during the deserialization of DataSet objects, which SharePoint uses extensively for storing configurations. Unfortunately, its processing logic isn’t sufficiently strict, permitting the injection of malicious, yet seemingly valid, data types. Exploiting this flaw enables attackers to execute arbitrary commands, upload malicious payloads, or access sensitive files.
From Quick Fixes to Rapid Circumvention
On July 9, Microsoft released patches addressing these vulnerabilities. The researcher who uncovered the exploit named it ToolShell, referencing the ToolPane component. However, proof-of-concept tools appeared shortly after, around July 14, intensifying the urgency of deploying the patches.
Despite the updates, the fixes proved inadequate. By July 19, evidence emerged that attackers were actively exploiting variations of both CVE-2025-49706 and CVE-2025-49704. Specifically, the original CVE-2025-49706 flaw was being exploited via a new vector, dubbed CVE-2025-53771. While the initial patch restricted direct access to ToolPane, attackers bypassed it simply by appending additional URL parameters.
Similarly, CVE-2025-49704’s exploit had a counterpart called CVE-2025-53770, leveraging the same method but targeting a different vulnerable endpoint. Patches for these variants were rolled out by July 20 for SharePoint Server 2019, and on July 21 for SharePoint Server 2016.
The Emergence of Ransomware Activities
Microsoft reports that exploitation of CVE-2025-53770 began at least as early as July 7—before the official patches became available. The cyber threat group behind ToolShell is linked to two Chinese state-affiliated actors, Linen Typhoon and Violet Typhoon, as well as a third group, potentially operating domestically, called Storm-2603, with moderate confidence.
Linen Typhoon, active since 2012, is notorious for intellectual property theft and typically relies on drive-by compromises. Its primary targets include government agencies, defense sectors, and human rights organizations.
Violet Typhoon has been involved in espionage campaigns against former government and military personnel, NGOs, think tanks, and media outlets, with recent activities also covering financial institutions, healthcare, and higher education sectors since at least 2015.
Storm-2603, historically known for deploying ransomware such as LockBit and Warlock, appears to have resumed its operations via ToolShell since July 18, when large-scale exploitation began.
Exploitation Techniques: Webshells or Not?
Sophos confirms that exploitation activity started on July 18 but also notes detection of earlier signs, including activity against a Middle Eastern client on July 17. Currently, around 84 targeted organizations across 21 countries are identified.
SentinelOne detected initial exploitation attempts on July 17. The majority of victims operate within IT consulting, manufacturing, critical infrastructure, and professional engineering services.
Between July 18 and 19, two waves of attacks were observed. These primarily involved a constrained ASPX webshell (using cookies and SHA512 hashes for authentication) called spinstall0.aspx or similar, designed to exfiltrate cryptographic keys.
Prior to these, a more sophisticated activity cluster was detected, operating without persistent webshells by executing .NET modules directly in memory.
ToolShell is engineered to function without requiring a webshell. It exploits the ViewState property, which is intended to preserve UI component state between page loads. By obtaining cryptographic keys—specifically the ValidationKey and DecryptionKey—attackers generate malicious ViewStates that the server decrypts and executes. A simple HTTP request is sufficient to trigger this attack.
Securing these keys is crucial, as their compromise provides persistent access regardless of applied patches. Immediate revocation of these keys is highly recommended.
While SharePoint Server 2010 and 2013 are also vulnerable, Microsoft has not announced patches for these versions. The recommended interim measure is to block all requests targeting ToolPane, and to monitor the LAYOUTS directory, which attackers often exploit to deliver webshells and malware.
Thousands of Targets, Hundreds of Victims?
Security firm Palo Alto Networks reports three primary attack vectors. One involves PowerShell commands that scan web.config files—containing cryptographic keys—and store their contents in a debug_dev.js file. The other two utilize the w3wp.exe process to create webshells via the IIS server, aimed at exfiltrating the keys.
Similar to Microsoft, Check Point indicates that exploitation attempts for CVE-2025-53770 commenced on July 7, targeting a major Western government entity. As of now, roughly 4,600 attack attempts have been recorded against around 300 organizations. The most targeted sectors include finance (19%), government (14%), business services (12%), and telecommunications (10%). Geographically, most attacks originate from the United States (35%), followed by the UK, France, Italy, Portugal, and Germany.
Eye Security, the first to spot the large-scale campaigns, reports four distinct attack waves impacting over 400 systems.
In the United States, victims appear to include key agencies such as the Department of Homeland Security (DHS), the National Nuclear Security Administration (NNSA), and the National Institutes of Health (NIH). At least one NIH server suspected of compromise is linked to human resources. Other targets include the Department of Education and local authorities in Florida and Rhode Island.
Abuse of Legitimate Services Such as IIS and WMI
Once initial access is gained, attackers frequently run the “whoami” command to identify user privileges. They also manipulate services.exe to disable Windows Defender by editing the registry. IIS is sometimes configured to load malicious .NET modules, creating persistence in tandem with webshells or scheduled tasks.
Depending on the attack method, the webshell may utilize HTTP/cURL or socket/DNS techniques. Researchers have also identified tools like SharpHostInfo.x64.exe, used to gather host information via NetBIOS, SMB, and WMI. WMI itself is exploited to execute remote commands without writing to disk, typically through tools from the Impacket toolkit. The deployment of Warlock malware relies on GPO modifications.
In addition to applying patches, organizations should verify that the Antimalware Scan Interface (AMSI) is enabled in full mode, which has been the default for SharePoint Server 2016 and 2019 since September 2023 security updates, and for cloud-hosted environments since the 23H2 feature update.
If AMSI cannot be activated immediately, disconnecting the server from the internet is advised until the patch is deployed. If disconnection isn’t feasible, employing VPNs, proxies, or gateway authentication layers can serve as additional layers of defense.
