ToolShell: Critical SharePoint Zero‑Day RCE in Active Exploitation


🚨 Overview

A critical zero‑day Remote Code Execution (RCE) vulnerability in on‑premises Microsoft SharePoint Server—tracked as CVE‑2025‑53770 (with a related CVE‑2025‑53771)—is being actively exploited worldwide. The attack chain, dubbed ToolShell, allows unauthenticated attackers to execute code, deploy stealth web shells, and steal MachineKey secrets, compromising entire environments.


🔍 Technical Deep Dive

SharePoint RCE, ToolShell Exploit

  1. Root Cause

    • A deserialization flaw in SharePoint’s __VIEWSTATE handling enables unauthenticated RCE (CVSS 9.8—network, no privileges, no user interaction).

    • Exploitation leverages the /_layouts/15/ToolPane.aspx?DisplayMode=Edit endpoint to drop malicious payloads.

  2. Attack Chain (“ToolShell”)

    • Step 1: Attacker sends a crafted POST request to ToolPane.aspx?DisplayMode=Edit.

    • Step 2: A stealth web shell (e.g., spinstall0.aspx) is uploaded into the SharePoint layouts directory.

    • Step 3: The web shell extracts the server’s ASP.NET MachineKey, enabling forged __VIEWSTATE payloads for persistence.

  3. Persistence & Evasion

    • Stolen MachineKey allows attackers to sign valid state objects and evade standard verification checks.

    • Even after patching, unless the MachineKey is rotated, the old key remains valid.


🌍 Real‑World Impact

  • Timeline: First in‑the‑wild exploitation from July 18–20, 2025.

  • Scope: Dozens to over 75 organizations across sectors (education, government, finance).

  • Regulatory Response: Added to CISA’s Known Exploited Vulnerabilities list; U.S. federal agencies mandated to patch by July 21, 2025.


🛡️ Mitigation & Response

Microsoft Emergency Guidance

  • Patches Released For:

    • SharePoint Server 2019

    • SharePoint Server Subscription Edition

    • (SharePoint 2016 patch pending)

  • Immediate Actions:

    1. Enable AMSI integration and deploy Microsoft Defender AV on all SharePoint servers.

    2. Deploy Defender for Endpoint or equivalent EDR solution.

    3. Rotate ASP.NET MachineKeys post‑patch and restart IIS.

CISA Recommendations

  • Disconnect public‑facing SharePoint servers if AMSI/EDR cannot be enabled immediately.

  • Monitor IIS logs for POSTs to ToolPane.aspx?DisplayMode=Edit.

  • Block known attacker IP ranges observed during the July 18–19 exploitation window.


🔍 Hunting & Indicators of Compromise (IOCs)

IOC TypeDetails
Web Shell Filenamespinstall0.aspx inside …\LAYOUTS\15\
Suspicious RequestsPOST to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
Malicious ReferrerAbnormal Referer: _layouts/SignOut.aspx headers
Example IPs96.9.125.147 · 107.191.58.76 · 104.238.159.149
Defender AlertsExploit:Script/SuspSignoutReq.A · Trojan:Win32/HijackSharePointServer.A

🚨 Immediate Action Plan

  1. Apply Emergency Patches

    • Install today on all affected SharePoint versions.
  2. Enable/Deploy AMSI & Defender

    • Or isolate servers until protection is in place.
  3. Rotate MachineKeys

    • Generate new keys and restart IIS to invalidate old ones.
  4. Deploy EDR & Hunt for IOCs

    • Use the table above to guide log searches and alerts.
  5. Update Network Defenses

    • Block attacker IPs and tighten WAF/IPS rules.

✅ Conclusion

ToolShell represents a zero‑minute vulnerability scenario: exploitation began just as emergency patches were released. If you manage on‑prem SharePoint, act now—patch, enable protections, rotate keys, and hunt for any signs of compromise.

0
Subscribe to my newsletter

Read articles from FPT Metrodata Indonesia directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

FPT Metrodata Indonesia
FPT Metrodata Indonesia

PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.