Redazione RHC : 26 July 2025 10:13
The threat landscape never sleeps, but this time it woke up with a bang. On July 18, 2025, security firm Eye Security issued a warning that immediately resonated throughout the cyber world: a massive exploit campaign is underway against on-premises SharePoint servers, using a new vulnerability chain dubbed ToolShell, based on two newly-cataloged CVEs: CVE-2025-53770 and CVE-2025-53771.
The attack is anything but theoretical: it has already affected universities, energy companies, thousands of small and medium-sized businesses and, according to the Washington Post, at least two US federal agencies. This is an unauthenticated Remote Code Execution (RCE) chain that exploits publicly exposed versions of SharePoint and, more seriously, is capable of bypassing previous patches related to exploits demonstrated at Pwn2Own Berlin 2025.
The two new CVEs are actually mutated evolutions of a previous exploit chain: CVE-2025-49704 and CVE-2025-49706. In that case, the exploit started from an authentication bypass and led to remote code execution. Microsoft responded with a patch… but it turned out to be just a Band-Aid on a still festering wound.
CVE-2025-53770 reintroduces the deserialization flaw that allows RCE, while CVE-2025-53771 restores the bypassed authentication. In essence, ToolShell is an improved replay of the old attack, with a fresh coat of paint and increased effectiveness.
To make matters worse, there are quite a few vulnerable installations. Shodan has over 16,000 publicly exposed, primarily in the United States, followed by Iran, Malaysia, the Netherlands, and Ireland. And many servers, as is often the case, continue to expose version details in HTTP headers, giving threat actors exactly what they need to surgically strike.
Once compromised, ToolShell allows the extraction of SharePoint encryption keys (ValidationKey and DecryptionKey), allowing persistent access to the system even after patches have been applied. As if that weren’t enough, the centralized nature of SharePoint—often integrated with Outlook, Teams, OneDrive, and Active Directory—opens the door to large-scale data exfiltration and the compromise of entire corporate collaboration infrastructures.
It’s a silent and deep attack, like the bite of a poisonous snake: after the initial RCE, persistent web shells are installed, credentials are collected, and if possible, lateralization is performed within the network.
According to the sandbox report associated with the sample [SHA256: 1116231836ce7c8c64dd86027b458c3bf0ef176022beadfa01ba29591990aee6], the exploit executes an ASP file (“spinstall0.asp”) which is responsible for dropping the webshell. The observed behavior includes the enumeration of physical storage devices and the invocation of commands via cmd.exe, confirming the persistence and reconnaissance capabilities.
The MITRE ATT&CK report links the attack chain to as many as 14 tactics, including Initial Access, Execution, Privilege Escalation, Credential Access, and Command and Control, a true symphony of advanced intrusion.
While on-prem SharePoint is becoming a favorite target of threat actors, the cloud version SharePoint Online remains immune. The reason is clear: centralized patching, automatic threat hunting, continuous monitoring, and reduced exposure. The difference between on-prem and SaaS in terms of security has never been so clear.
As if to say: those who chose the cloud grabbed their umbrella before the storm.
Microsoft released emergency updates on Patch Tuesday in July and published specific recommendations: apply patches (if available), enable AMSI, use Defender, and, crucially, rotate ASP.NET keys to break post-exploit persistence. However, SharePoint Server 2016 remains without an official patch at the time of writing. A nightmare for those unable to migrate.
In parallel, Recorded Future has created a Template Nuclei to detect CVE-2025-53770, useful for automated threat hunting activities. The template leverages a /vti_pvt/service.cnf endpoint and analyzes the exposed SharePoint build to detect vulnerable versions.
Another critical element is that a proof-of-concept already exists published on GitHub, which has undoubtedly accelerated the adoption of the exploitation by malicious actors.
The ToolShell affair exposes (once again) the structural delay in managing on-premises systems, especially in companies and public administrations with legacy infrastructures, where patching is neither rapid nor consistent. But it goes even further: it shoves the harsh reality of superficial management of exposure and internal visibility in our faces.
Those managing exposed SharePoint infrastructures should act immediately: patch where available, isolate vulnerable systems, monitor logs, search for webshells, and above all, strategically review their infrastructure choices. It’s time to stop treating security like a checklist and start considering it a living, continuous, and, if necessary, painful process.
Those who stand still right now… are already going backwards.
Redazione