In early July 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a critical analysis detailing a sophisticated cyberattack campaign known as ToolShell. This campaign specifically targets on-premises Microsoft SharePoint servers by exploiting two newly identified vulnerabilities:
– CVE-2025-49706: A network spoofing vulnerability.
– CVE-2025-49704: A remote code execution (RCE) flaw.
By leveraging these vulnerabilities, attackers can gain unauthorized access to SharePoint servers and deploy stealthy web shells, enabling persistent control over compromised systems.
Attack Methodology:
The initial phase of the ToolShell attack involves sending a specially crafted request to SharePoint’s editing interface. This request targets the endpoint `/_layouts/15/ToolPane.aspx?DisplayMode=Edit`, effectively bypassing authentication mechanisms. Once access is obtained, the attacker installs a malicious ASPX payload, granting them a foothold within the server.
Subsequently, the attacker utilizes a DLL-based machine key extractor, encoded in Base64, to harvest cryptographic secrets from the ASP.NET configuration. These extracted keys are then exfiltrated by injecting a custom HTTP header named `X-TXT-NET` into server responses. This technique allows attackers to remotely decrypt protected ViewState and cookie values, facilitating further exploitation.
Detection and Indicators of Compromise (IOCs):
CISA has provided specific detection signatures to help organizations identify potential infections. Key indicators include:
– Presence of the custom HTTP header `X-TXT-NET` in server responses.
– Specific DLL hashes associated with the attack.
– Unusual ASPX files such as `info3.aspx`, `spinstall0.aspx`, `spinstallb.aspx`, and `spinstallp.aspx` in the SharePoint directories.
Monitoring for these indicators is crucial for early detection and mitigation of the ToolShell exploit.
Infection Mechanism:
The ToolShell campaign exploits SharePoint’s customization features to deploy its payload. By submitting a POST request to `spinstall0.aspx`, the attacker causes the server to write `info3.aspx` into the `TEMPLATE\LAYOUTS` directory. Once deployed, `info3.aspx` decodes another Base64-encoded DLL (`bjcloiyq.dll`) to retrieve machine key parameters. The extracted keys are then exfiltrated by adding them to the `X-TXT-NET` header in server responses.
This method allows attackers to forge valid SharePoint cookies, effectively bypassing authentication and maintaining persistent access to the server.
Recommendations for Mitigation:
Organizations utilizing on-premises SharePoint servers are strongly advised to take the following actions:
1. Apply Security Patches: Ensure that all SharePoint servers are updated with the latest security patches provided by Microsoft to address the identified vulnerabilities.
2. Monitor for IOCs: Regularly scan server logs and configurations for the presence of the `X-TXT-NET` header, unusual ASPX files, and known malicious DLL hashes.
3. Rotate Cryptographic Keys: After patching, rotate all cryptographic keys to invalidate any that may have been compromised during the attack.
4. Limit Server Exposure: Restrict internet-facing access to SharePoint servers to minimize the attack surface.
5. Implement Advanced Threat Detection: Deploy advanced threat detection solutions capable of identifying and mitigating sophisticated attacks like ToolShell.
By proactively implementing these measures, organizations can significantly reduce the risk of compromise from the ToolShell exploit and enhance the overall security posture of their SharePoint environments.
