ToolShell SharePoint Exploit
It’s a little ironic that I just wrote about the importance of keeping your Windows machines patched, and shortly afterwards, a new zero-day hit SharePoint. The “ToolShell” exploit chain was first demonstrated at Pwn2Own Berlin 2025 in May 2025, and now it’s out in the wild. Here’s what you need to know, and do, to protect your network.
What is ToolShell?
If you remember the Exchange “ProxyShell” attacks from a few years ago, this pattern will sound familiar: ToolShell is actually a chain of exploits that allow attackers to run their own code on target systems without authentication. Remote code execution (RCE) vulnerabilities are among the most serious.
ToolShell works by combining multiple exploits. First is CVE-2025-49706, a spoofing flaw that allows an attacker to evade authentication by sending HTTP requests containing forged Referer headers. Second is CVE-2025-49704, which permits arbitrary command execution via unsafe deserialization processes.
But wait! There’s more! Attackers are actually using two other attacks: CVE-2025-53770 is a variation of CVE-2025-49704 that’s been used to compromise “more than 75 organizations” (according to Microsoft) across federal and state government agencies, energy sector companies, and academic institutions. CVE-2025-53771 is yet another variant that doesn’t seem to be in active use yet.
In this context, when Microsoft refers to “attackers,” they mean “two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon” that are actively mounting attacks, plus “another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware.”
All of these security flaws impact SharePoint Server 2016, 2019, and Subscription Edition installations hosted on-premises. Microsoft says that SharePoint Online isn’t affected, although they have not said if that’s because of patching or other remediation.
The Attack and Its Indicators
The threat actors are using the ToolShell vulnerability to drop a malicious script, spinstall0.aspx, that opens a web shell. They are then using that web shell to steal the ASP.NET MachineKey, which is really bad; the attacker can use that key to impersonate the SharePoint server, which means it can be used to move laterally through the network
Patch Immediately
Microsoft has released comprehensive security updates for SharePoint Server 2019 and Subscription Edition on July 20, 2025, with patches for SharePoint 2016 following on July 22. These updates address CVE-2025-53770, CVE-2025-53771, CVE-2025-49704, and CVE-2025-49706, providing more robust protections than earlier fixes. Administrators must prioritize applying these cumulative updates to all supported SharePoint versions. For organizations unable to patch immediately, Microsoft recommends enabling the Antimalware Scan Interface (AMSI), which has been integrated by default since the September 2023 update for SharePoint Server 2016/2019 and Version 23H2 for Subscription Edition. Deploying Microsoft Defender Antivirus on all SharePoint servers can further block unauthenticated exploitation attempts.
