SharePoint Exploit Chain: ToolPane Attack

Why do we care ?

Because SharePoint sits at the centre of many organisations’ Microsoft ecosystems - hosting sensitive documents, workflows, and authentication tokens - an attacker who breaches it gains an instant bridgehead inside the network. Compromise often yields domain credentials, stored files, and the ability to run code as the web-app service account, which can pivot to Domain Admin or launch ransomware. In short, successful exploitation is not just a “website defacement” risk; it’s a fast-track to data theft, lateral movement, and full environment takeover - making rapid patching and hardening critical.

Quick Action Points

Microsoft has released security updates for all affected SharePoint versions. Organisations are strongly urged to apply these patches immediately. In addition to patching, Microsoft and CISA recommend the following mitigations:

Enable Antimalware Scan Interface (AMSI) integration for SharePoint.
Deploy Microsoft Defender for Endpoint or an equivalent endpoint detection and response (EDR) solution.
Rotate ASP.NET machine keys.
Isolate public-facing SharePoint servers until they can be patched and secured.

Given the active and widespread exploitation of these vulnerabilities, organisations with on-premises SharePoint deployments are at immediate risk and should prioritise these mitigation and remediation efforts.

Active Exploit Activity (Updated 4th August 2025)

July 2025: "ToolShell" Exploit Chain and Active Exploitation

In July 2025, a critical series of vulnerabilities in on-premises Microsoft SharePoint Servers came under active and widespread exploitation. The initial attack, dubbed "ToolShell," chains together two vulnerabilities discovered at the Pwn2Own Berlin competition in May 2025:

CVE-2025-49706: An authentication bypass vulnerability in SharePoint's ToolPane.aspx.
CVE-2025-49704: A code injection vulnerability allowing an attacker with Site Owner privileges to execute arbitrary code.

This exploit chain allows unauthenticated attackers to achieve remote code execution (RCE) on vulnerable SharePoint servers.

Zero-Day Exploitation and New Vulnerabilities

Shortly after Microsoft released patches for the initial "ToolShell" vulnerabilities, a new zero-day vulnerability, CVE-2025-53770, was discovered being actively exploited in the wild. This vulnerability, a variant of CVE-2025-49704, is a critical deserialization of untrusted data flaw with a CVSS score of 9.8, allowing unauthenticated RCE. A related bypass vulnerability, CVE-2025-53771 (a bypass for CVE-2025-49706), was also disclosed.

Threat Actors and Campaigns

Multiple threat actors have been observed exploiting these vulnerabilities:

Nation-State Actors: Microsoft has attributed the initial wave of attacks to two Chinese nation-state actors, Linen Typhoon and Violet Typhoon. These groups were observed engaging in espionage and reconnaissance activities as early as July 7, 2025.
Ransomware Groups: A previously unknown hacking group has been observed deploying 4L4MD4R ransomware, a variant of the open-source Mauri870 ransomware, against vulnerable SharePoint servers. Another China-based actor, Storm-2603, has been observed deploying Warlock and Lockbit ransomware. This indicates that the vulnerabilities are being exploited by both state-sponsored and financially motivated actors.

Impact and Scale of Attacks

The "ToolShell" exploit and the subsequent zero-day have been used in a large-scale campaign affecting organisations globally, including government entities, schools, healthcare providers, and large enterprises. Attackers have been observed stealing cryptographic keys, deploying web shells for persistent access, and executing commands to move laterally within compromised networks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity of the threat.

Snapshot (25 July 2025)

What the exploit is

“ToolPane/ToolShell” is an unauthenticated remote-code-execution chain that:

Bypasses authentication (CVE-2025-49706 / 53771) using a crafted request to pages such as ToolPane.aspx/.
Uploads a compressed .NET DataSet blob via the hidden field MSOTlPn_DWP, abusing the ExcelDataSet control (CVE-2025-49704 / 53770).
Deserialises the blob inside w3wp.exe, spawning PowerShell, MSBuild or rundll32 to drop web-shells.
Extracts the server’s MachineKey, letting the attacker mint valid ViewState payloads for persistence and lateral movement.

Microsoft shipped emergency patches on 19-20 July, but the vulnerability had been exploited in the wild since at least 18 July.

How widespread is it ?

Metric (as of 25 Jul 2025)	Latest public estimate
Confirmed victim organisations	≈ 400 (gov, energy, education, finance, Source Toms Guide)
Internet-reachable SharePoint services still exposing the vulnerable pages	≈ 235,000 (Source zscaler)
Distinct companies with at-risk servers (based on Censys scans)	\> 10 000 - bulk in US, NL, UK, CA (Source 9to5mac)
CVEs added to CISA’s KEV catalogue (proof of active exploitation)	CVE-2025-49704 & 49706 on 22 Jul; CVE-2025-53770 on 20 Jul

Are unpatched servers still out there?

Daily telemetry from Censys and GreyNoise shows steady scanning traffic for ToolPane.aspx and ComponentPicker.aspx, and Zscaler reports “tens of thousands of vulnerable services still online” despite the patch’s availability. With public proof-of-concept code circulating, opportunistic actors are mass-exploiting any stragglers they find.

CVE List

CVE ID	Patch / Advisory first published
CVE-2025-49704 – SharePoint RCE	8 July 2025 (Microsoft Patch Tuesday bundle)
CVE-2025-49706 – SharePoint authentication bypass	8 July 2025
CVE-2025-53770 – SharePoint deserialization RCE (patch-bypass of 49704)	19 July 2025 (MSRC out-of-band guidance)
CVE-2025-53771 – SharePoint auth-bypass variant (patch-bypass of 49706)	20 July 2025 (Microsoft / NVD publication)
Widespread exploitation began on 2025‑07‑18 and hit government, finance, and manufacturing servers worldwide.

Note: NVD records for CVE-2025-49704 and CVE-2025-49706 were added on 22 July 2025, but the vulnerabilities were originally disclosed and patched in the regular July 8 Patch Tuesday release, so the earlier Microsoft dates are shown above for defender context.

Attack Stages

Stage	What attackers may do	Defender touch-points
1 Recon & Scan	Scan ToolPane.aspx and ToolPane.aspx/ (bypasses naïve filters); probe ComponentPicker.aspx with spoofed Referer /_layouts/SignOut.aspx	Hunt any request to editing pages ending .aspx/; cluster by ASN / JA3 to prioritise blocking
2 Auth Bypass	Exploit CVE-2025-49706 (July-8 patch bypassed with extra “/”); abuse allow-list logic in CVE-2025-53771	Patch both 49706 & 53771; alert on HTTP 302→200 bursts with spoofed referrers
3 Payload Upload	Hidden fields MSOTlPn_DWP or __REQUESTPAYLOAD carry Base64/Deflate DataSet; abuse ExcelDataSet → CompressedDataTable (CVE-2025-49704)	Flag POST bodies > 20 kB to any .aspx in /LAYOUTS; decode payloads containing CompressedDataTable= or high entropy
4 Code Execution	w3wp.exe spawns powershell -EncodedCommand, MSBuild.exe /quiet, rundll32, or inline Roslyn C#	Alert on w3wp.exe spawning PowerShell / MSBuild / rundll32; enable AMSI “Full Mode”
5 Web-shell / Implant	Drops spinstall.aspx, spworker.aspx, or fake .gif; may add IIS modules or scheduled tasks	Hash-compare /TEMPLATE/LAYOUTS, /App_GlobalResources, bin, vtibin against a clean image
6 Persistence & Lateral Move	Stolen MachineKey lets attackers mint ViewState payloads; creates local admins, malicious GPOs, PsExec / WMI hops	Rotate MachineKeys twice (pre- & post-reboot); monitor PsExec, WMI, SMB for lateral movement

Mitigation checklist - “ToolShell” findings

Patch immediately to the July 20 2025 cumulative (Microsoft.SharePoint.dll ≥ 16.0.10417.20037).
Run the SharePoint Products Configuration Wizard (or PSConfig) after installing any July 8 updates; this is required to mark ExcelDataSet as unsafe and fully close CVE‑2025‑49704.
Assume compromise if exposed pre‑patch:
1. Take server offline & update.
2. Rotate MachineKeys → IISRESET /STOP → reboot → rotate again.
Log & IOC sweep:
- Requests to ToolPane.aspx/, ComponentPicker.aspx, spoofed Referer headers.
- Large / high‑entropy payloads in MSOTlPn_DWP, __VIEWSTATE, __REQUESTPAYLOAD.
- New .aspx / .gif named spinstall, spworker, debug_dev, diag, etc.
Hardening:
- Enable AMSI Full Mode and an EDR with behaviour detection (e.g. verdicts like PDM:Exploit.Win32.Generic).
- Place a WAF in front of SharePoint; block editing endpoints unless truly required.
- Restrict outbound internet from SharePoint servers.
Persistence hunt:
- Scheduled tasks named “Update‑SharePoint”, “Diag‑Service”, etc.
- Unexpected IIS modules/handlers in applicationHost.config.
- New local or domain admins created after 2025‑07‑08.
If ransomware or data theft is suspected: engage IR, rotate all SQL / service‑account / certificate secrets and rebuild from a trusted image.

Reference	Notes
Microsoft Security Update Guide – July 2025 Patch Tuesday roll-up	Canonical patch metadata: affected versions, DLL build numbers, CVSS, exploitability index.
MSRC Blog – “Customer guidance for SharePoint vulnerability CVE-2025-53770”	Step-by-step remediation, machine-key rotation, Defender/MDE alert names, revision log.
Securelist – “ToolShell: a story of five vulnerabilities in Microsoft SharePoint”	Deep technical walkthrough of the payload chain and variant analysis of all five CVEs.
SANS ISC Diary – “Analyzing SharePoint Exploits (CVE-2025-53770/53771)”	Honeypot logs, decoded payload samples, quick-triage tips for spotting spinstall*.aspx artefacts.
CISA Alert – “CISA adds CVE-2025-53770 ‘ToolShell’ to KEV Catalog”	Confirms active exploitation, sets U.S. federal remediation deadline, links extra mitigations.
https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/	Unit42 investigation into ToolShell exploitation revealed the deployment of ransomware

SharePoint “ToolPane / ToolShell” Exploit Chain

Table of contents