Threat Research

ToolShell Zero Day in SharePoint

Securonix
ToolShell Zero Day in SharePoint

A critical zero-day vulnerability (CVE-2025-53770) in Microsoft SharePoint allows unauthenticated remote code execution and is actively exploited by threat actors, including Linen Typhoon and Violet Typhoon. Attackers leverage this flaw to deploy web shells, steal credentials, and maintain persistent access, targeting organizations worldwide, notably a US nuclear weapons agency. #CVE202553770 #LinenTyphoon #VioletTyphoon #MicrosoftSharePoint

Keypoints

  • CVE-2025-53770 is a high-severity (CVSS 9.8) deserialization vulnerability in SharePoint Server 2016, 2019, and Subscription Edition enabling unauthenticated remote code execution.
  • Attackers exploit this vulnerability using crafted HTTP POST requests targeting legacy SharePoint pages like ToolPane.aspx.
  • The exploit is part of a broader attack chain named ToolShell, often combined with CVE-2025-49704 and CVE-2025-49706 to bypass authentication and escalate privileges.
  • Threat actors Linen Typhoon and Violet Typhoon, associated with China, are actively exploiting the vulnerability and targeting high-value organizations, including a US nuclear weapons agency.
  • Over 60,000 exploitation attempts were detected in one day targeting thousands of sites across 34 countries, with over 50% aimed at US sites.
  • The attack payload abuses System.DelegateSerializationHolder to execute PowerShell commands remotely, enabling data exfiltration without user interaction.
  • Imperva provides protection with Web Application Firewall (WAF) rules that detect and block exploit attempts targeting CVE-2025-53770 and related attack chains.

MITRE Techniques

  • [T1204] User Execution – Exploitation of SharePoint via crafted HTTP POST requests to legacy pages to trigger code execution (“…send crafted HTTP POST requests…to trigger arbitrary code execution…”).
  • [T1176] Browser Extensions – Use of deserialization of malicious objects (System.DelegateSerializationHolder) to hijack execution flow remotely.
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Execution of PowerShell commands with -EncodedCommand to run ipconfig and exfiltrate data (“…invokes System.Diagnostics.Process.Start() with a PowerShell command using -EncodedCommand…”).
  • [T1543.003] Create or Modify System Process – Deployment of web shells and manipulation of SharePoint machine keys to maintain persistent access (“…deploy web shells or steal the SharePoint machine key, allowing them to forge authentication tokens and maintain access…”).
  • [T1078] Valid Accounts – Use of forged authentication tokens based on stolen machine keys for persistence (“…forge authentication tokens and maintain access even after initial entry points are patched…”).

Indicators of Compromise

  • [IP Address] Remote server used for exfiltration – 146.70.41.178
  • [File Name] Targeted legacy SharePoint page – ToolPane.aspx
  • [Vulnerability ID] Exploited CVEs – CVE-2025-53770, CVE-2025-49704, CVE-2025-49706

Read more: https://www.imperva.com/blog/imperva-customers-protected-against-critical-toolshell-zero%e2%80%91day-in-microsoft-sharepoint/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint