A sophisticated cyberattack campaign, known as ToolShell, is actively targeting Microsoft SharePoint servers, posing a significant risk to organizations worldwide. This multi-stage exploit chain combines previously patched vulnerabilities with newly discovered zero-day exploits, enabling attackers to achieve complete system compromise. The affected versions include SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
Key Takeaways:
1. ToolShell exploits four SharePoint vulnerabilities (two previously patched and two zero-day) to gain full system control.
2. The attack deploys advanced web shells for remote command execution and theft of cryptographic keys.
3. Immediate patching and implementation of detection systems are crucial to block active attacks.
Vulnerability Chain Targets SharePoint Infrastructure
The ToolShell campaign leverages a combination of four Common Vulnerabilities and Exposures (CVEs) to establish remote code execution capabilities:
– CVE-2025-49704 and CVE-2025-49706: Previously patched vulnerabilities.
– CVE-2025-53770 and CVE-2025-53771: Newly discovered zero-day variants.
The Cybersecurity and Infrastructure Security Agency (CISA) has added these CVEs to its Known Exploited Vulnerabilities catalog, underscoring the severity of this threat.
Attack Methodology
The attack typically begins with initial reconnaissance, where attackers use simple CURL and PowerShell commands to probe target systems and extract system information. This phase allows threat actors to fingerprint target environments before deploying more sophisticated payloads.
The exploitation often starts with the spinstall0.aspx endpoint, enabling attackers to upload configuration data to remote servers. This approach facilitates the deployment of malicious components without triggering immediate detection.
Malicious Components Deployed
The ToolShell campaign deploys two primary malicious components:
1. GhostWebShell: A highly sophisticated ASP.NET web shell designed for persistent remote access. It embeds a Base64-encoded ASP.NET page that exposes a ?cmd= parameter, allowing attackers to execute arbitrary system commands through cmd.exe /c
2. KeySiphon: A reconnaissance tool that captures comprehensive system intelligence. It collects critical information, including logical drive configurations, machine specifications, CPU core counts, system uptime, and operating system details. Most concerning, KeySiphon extracts application validation and decryption keys through the System.Web namespace, specifically invoking MachineKeySection.GetApplicationConfig() to expose cryptographic secrets. This enables authentication token forgery and ViewState manipulation, granting attackers the ability to impersonate legitimate users and maintain persistent access.
Immediate Actions Required
Organizations should take the following steps to mitigate the risk posed by the ToolShell exploit:
– Apply Available Patches: Microsoft has released patches for SharePoint Server 2019 and the SharePoint Subscription Edition. Administrators are urged to apply these updates immediately. For SharePoint Server 2016, Microsoft is working on a solution, and organizations should monitor for updates.
– Implement Layered Detection Strategies: Combine network monitoring, endpoint protection, and comprehensive log analysis to detect and respond to potential intrusions.
– Harden SharePoint Infrastructure: Prioritize the hardening of SharePoint infrastructure by implementing additional access controls and ensuring proper configuration of security features.
– Monitor for Indicators of Compromise (IOCs): Be vigilant for signs of compromise, such as unexpected system behavior or unauthorized access attempts.
Conclusion
The ToolShell exploit chain represents a critical threat to organizations utilizing Microsoft SharePoint servers. By exploiting a combination of previously patched and zero-day vulnerabilities, attackers can achieve complete system compromise, deploy persistent backdoors, and steal sensitive information. Immediate action is required to apply patches, implement robust detection mechanisms, and harden SharePoint infrastructure to mitigate this evolving threat.
