ToolShell attack flow exploiting SharePoint vulnerability.

The Global SharePoint Crisis: Inside Microsoft’s Emergency Response to the “ToolShell” Zero-Day Attack

The Scene: Alaska Airlines halts all ground operations for three hours on Sunday, July 20th. IT systems mysteriously fail. While the cause remains unconfirmed, cybersecurity teams worldwide hold their breath. This incident unfolds amidst one of the most severe and widespread Microsoft SharePoint vulnerability attacks in recent history—an attack exploiting a critical “zero-day” flaw, actively breaching government agencies, universities, and global enterprises.

What is Happening? The Core Vulnerability Explained

At the heart of this crisis are two critical vulnerabilities tracked as CVE-2025-53770 (Critical RCE, CVSS 9.8) and CVE-2025-53771 (Spoofing). These flaws represent sophisticated bypasses of patches Microsoft issued just weeks earlier in its July 2025 Patch Tuesday (for CVE-2025-49704 and CVE-2025-49706). This exploit chain, dubbed “ToolShell,” allows attackers to:

  1. Bypass Authentication: Send malicious HTTP POST requests to /_layouts/15/ToolPane.aspx with a specific referer header (/_layouts/SignOut.aspx), tricking the server into treating them as legitimate.
  2. Execute Remote Code (Pre-Authentication): Exploit flaws in how SharePoint deserializes untrusted data, allowing attackers to run commands before logging in.
  3. Steal Critical Machine Keys: Deploy a malicious web shell file (spinstall0.aspx) into the SharePoint layouts directory (e.g., C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\). This shell steals the server’s ASP.NET MachineKey configuration, including the ValidationKey and DecryptionKey.
  4. Achieve Persistent, Untouchable Access: With these cryptographic keys, attackers forge valid __VIEWSTATE payloads. This grants them ongoing remote code execution (RCE) capabilities, even after the original vulnerability is patched, allowing them to impersonate users, access all data, and move laterally across networks connected to SharePoint (like Outlook, Teams, OneDrive).
Microsoft SharePoint vulnerability attack flow diagram.

The Alarming Scale of the SharePoint Attack

This isn’t a theoretical risk. It’s a global incident with confirmed, widespread exploitation:

  • Active Since July 18th: Eye Security detected the first major wave of attacks around 18:00 UTC on July 18th, followed by another wave around 07:30 UTC on July 19th.
  • Confirmed Compromises: Security researchers have identified over 85 compromised SharePoint servers belonging to at least 29 distinct organizations, including:
    • U.S. Federal and State Government Agencies (including health orgs)
    • A Private University in California
    • A Private Energy Sector Operator in California
    • A Private AI Tech Company
    • A Private Fintech Company in New York
    • Organizations in Germany, France, and Australia
  • Thousands Potentially Exposed: The Shadowserver Foundation scans show approximately 9,300 SharePoint servers exposed daily on the public internet. While not all are vulnerable or compromised, this represents a massive attack surface. Palo Alto Networks Unit 42 warns the hack likely reached thousands of organizations globally.
  • CISA Sounds the Alarm: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog on July 20th, compelling federal agencies to remediate within 21 days and urging all organizations to prioritize action.
  • High-Risk Sectors: Government, education (universities), healthcare (hospitals), critical infrastructure (energy), and large enterprises are deemed at immediate and severe risk.

“If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point. Patching alone is insufficient to fully evict the threat.” – Michael Sikorski, CTO & Head of Threat Intelligence, Palo Alto Networks Unit 42.

Microsoft’s Emergency Response & Mitigation Steps

Microsoft reacted swiftly, but the situation remains fluid:

  1. Patches Released (July 20/21):
    • SharePoint Server 2019: KB5002741 / KB5002754 (Build 16.0.10417.20027)
    • SharePoint Subscription Edition: KB5002768
    • Microsoft Stance: “Customers should apply these updates immediately to ensure they’re protected” against CVE-2025-53770 and CVE-2025-53771.
  2. Patch Pending:
    • SharePoint Server 2016: Microsoft confirmed it is still actively working on a security update (KB5002744). This version remains critically vulnerable.
  3. Detection & Compromise Assessment:
    • Scan for spinstall0.aspx: Check C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\[15 or 16]\TEMPLATE\LAYOUTS\
    • Analyze IIS Logs: Look for POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx with an HTTP Referer of /_layouts/SignOut.aspx
    • Monitor Suspicious IPs: Block/Scan for traffic from 107.191.58[.]76104.238.159[.]14996.9.125[.]147 (observed in attacks July 18-19).
    • Use Microsoft 365 Defender Hunting Queries: Run the provided queries searching for spinstall0.aspx file creation or w3wp.exe spawning encoded PowerShell related to these paths.
    • Check MDVM: Filter by CVE-2025-53770/CVE-2025-53771 in Microsoft Defender Vulnerability Management for exposure status.
  4. Official guidance: Microsoft’s security team published urgent mitigation steps including key rotation.
  5. Critical Mitigations (Especially for SharePoint 2016 or if Compromise is Suspected):
ActionPurposeHow To
Enable AMSI + Defender AVBlocks unauthenticated exploitation. Scans malicious scripts/memory content.Ensure AMSI integration is enabled (default since Sept 2023 update for 2016/2019) and deploy Microsoft Defender Antivirus on all SharePoint servers. Configure AMSI in “Full Mode” for optimal protection.
Rotate ASP.NET Machine KeysInvalidates stolen keys. Prevents attackers from forging trusted sessions even after patching. Method 1 (PowerShell): Use Update-SPMachineKey cmdlet.

Method 2 (Central Admin): Go to Monitoring → Review job definitions → Find “Machine Key Rotation Job” → Run Now.

CRITICAL: Restart IIS on all servers (iisreset.exe) after rotation.
Disconnect from InternetImmediate protection if AMSI cannot be enabled or patch unavailable (e.g., SP2016).Physically or logically disconnect vulnerable SharePoint servers from internet access until patches/mitigations are fully applied.
Deploy Defender for Endpoint (or equivalent EDR)Detects post-exploit activity like web shell creation, suspicious process spawning.Monitor for alerts like “Possible web shell installation,” “Suspicious IIS worker process behavior,” “HijackSharePointServer malware blocked”.
Apply July 2025 Security UpdatesAddresses the original ToolShell vulnerabilities (CVE-2025-49704/49706) this attack bypasses.Foundational baseline protection.

“With these [Machine] keys in hand, attackers can craft forged __VIEWSTATE payloads that SharePoint will accept as valid—enabling seamless remote code execution. This approach makes remediation particularly difficult.” – Benjamin Harris, CEO, watchTowr.

Why This SharePoint Vulnerability is a “Worst-Case Scenario”

Security experts are using unusually dire language:

  1. Pre-Authentication Exploitation: Attackers don’t need usernames, passwords, or MFA. The door is wide open before login.
  2. Persistence Through Key Theft: Even after patching, stolen MachineKeys allow attackers back in. Patching is necessary but NOT sufficient. Key rotation is mandatory.
  3. Deep Network Access: SharePoint’s integration with core Microsoft services (Active Directory, Outlook, Teams, OneDrive) means a breach here is a springboard to the entire network. “A compromise doesn’t stay contained — it opens the door to the entire network,” warns Sikorski.
  4. Bypassing Traditional Defenses: The attack leverages legitimate SharePoint mechanisms (deserialization, ViewState), making it hard for signature-based defenses and firewalls to detect, especially as attackers evolve payloads.
  5. Massive Attack Surface: Thousands of exposed on-prem servers globally present a target-rich environment. Ryan Dewhurst of watchTowr stated, “This is going global, fast,” noting hundreds of organizations already impacted across multiple continents.
  6. Nation-State Concerns: Early indications suggest possible nation-state involvement focused on persistence, with criminal gangs quickly following suit.

The Road Ahead: Lessons and Imperatives

The “ToolShell” crisis exposes critical lessons for cybersecurity:

  1. The Peril of Perimeter Trust: “CVE-2025-53770 is… a case study in what happens when legacy trust models meet modern threat actors,” states Rik Ferguson of Forescout. Assuming internal systems or authenticated users are “safe” is dangerously obsolete. Zero Trust principles are non-negotiable.
  2. Patch Velocity Isn’t Enough: While Microsoft responded relatively quickly, the attackers adapted faster, creating bypasses for recently patched flaws. Continuous monitoring and layered defenses (like AMSI) are vital.
  3. On-Prem Complexity is a Liability: This attack starkly highlights the security challenges of managing complex on-premises infrastructure compared to cloud services (SharePoint Online was not affected). Organizations must rigorously assess the risk/benefit of maintaining exposed on-prem servers.
  4. Cryptographic Key Management is Critical: The centrality of the MachineKey theft underscores that protecting cryptographic secrets is as important as patching software. Robust key rotation procedures must be part of standard incident response playbooks.
  5. Visibility is Paramount: Detecting this attack requires deep endpoint visibility (EDR/XDR) and sophisticated log analysis. Organizations lacking these capabilities were effectively blind 179.
  6. Collaboration is Key: The rapid sharing of IoCs and mitigations by Eye Security, Palo Alto, watchTowr, Microsoft, and CISA exemplifies how public/private collaboration is essential for combating large-scale threats.

Conclusion: Urgent Action Required

The Microsoft SharePoint vulnerability (CVE-2025-53770 / CVE-2025-53771) represents an ongoing, severe global threat. Exploits are active, confirmed, and widespread. While patches are available for SharePoint 2019 and Subscription Edition, SharePoint 2016 servers remain exposed, and all affected organizations must go beyond patching to rotate Machine Keys and hunt for compromises.

The “ToolShell” attack chain grants attackers a devastating combination of easy initial access, deep network penetration, and persistent control. For any organization with an internet-facing on-premises SharePoint server, the time for action is now: apply patches, enable AMSI with Defender AV, rotate keys aggressively, hunt for IoCs, and if necessary, disconnect vulnerable systems until secured. The cost of inaction could be catastrophic data breaches, ransomware, and total network compromise.

The cost of delay could be catastrophic data breaches, ransomware, or total network takeover. For ongoing protection, follow Microsoft’s comprehensive SharePoint security guidelines.

Leave a Comment

Table of Contents

Index