The ToolShell exploit chain leverages multiple SharePoint vulnerabilities to gain unauthenticated remote code execution and silently extract cryptographic keys, enabling attackers to forge trusted requests and maintain persistent access. This active threat targets especially unpatched on-premises SharePoint Server versions 2016 and earlier, posing a high risk to organizations that have not yet applied Microsoft’s patches. #ToolShell #CVE202549706 #SharePointServer
Keypoints
- ToolShell exploits a chain of vulnerabilities including CVE-2025-49706 (authentication bypass), CVE-2025-49704 (arbitrary file write), and the newly discovered CVE-2025-53770 variant to achieve unauthenticated remote code execution on SharePoint servers.
- Microsoft has released patches for SharePoint Server Subscription Edition and 2019, but SharePoint Server 2016 and earlier versions remain vulnerable and widely exposed.
- The attack involves uploading a web shell (spinstall0.aspx), which extracts sensitive cryptographic keys (ValidationKey and DecryptionKey) without generating alerts, enabling stealthy ViewState forgery and further exploitation.
- Thousands of vulnerable SharePoint servers are exposed to the internet, mainly on legacy Windows Server platforms, and are actively scanned and targeted by attackers.
- Detection is challenging because the web shell leaks secrets silently and does not create typical network beacons or reverse shells, increasing the difficulty of timely incident response.
- Mitigation requires immediate patching of vulnerable SharePoint versions and rotation of ASP.NET machine keys to invalidate any stolen cryptographic material.
- Indicators of compromise include the presence of the spinstall0.aspx web shell, suspicious IP addresses linked to scanning and exploitation activity, and specific file hashes associated with malicious payloads.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – ToolShell uses an authentication bypass vulnerability by crafting HTTP requests with a specific Referrer header to unauthenticated access SharePoint pages (e.g., ‘/ToolPane.aspx’). (“By setting a specific Referrer header (e.g., /SignOut.aspx), attackers can bypass authentication checks”)
- [T1105] Ingress Tool Transfer – Attackers upload a malicious .aspx web shell to the SharePoint layouts directory using an arbitrary file write vulnerability. (“Using the unauthenticated access – upload a malicious .aspx to /LAYOUTS/15/”)
- [T1059.001] Command and Scripting Interpreter: PowerShell – The payload triggers PowerShell command execution through deserialized ViewState payloads once the web shell is activated. (“This usually includes PowerShell commands”)
- [T1550] Use Alternate Authentication Material – Attackers use stolen MachineKey cryptographic keys to craft valid signed requests and bypass authentication. (“Using stolen Keys – Attacker can generate valid and signed __VIEWSTATE Payloads”)
Indicators of Compromise
- [File Name] Web shell in SharePoint layouts directory – spinstall0.aspx used for extracting cryptographic keys.
- [IP Address] Scanning and exploitation activity – 107.191.58.76, 104.238.159.149, 96.9.125.147.
- [File Hash] Malicious payload hashes associated with the attack – 27c45b8ed7b8a7e5fff473b50c24028bd028a9fe8e25e5cea2bf5e676e531014, 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514, and others.
- [File Hash] Compiled web shell hash – 8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2.
- [File Hash] Secondary web shell and forged payload hashes – 4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030, fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7.
Read more: https://www.varonis.com/blog/toolshell-sharepoint-rce