Redazione RHC : 21 July 2025 07:51
An advanced cyberattack campaign has been detected targeting Microsoft SharePoint servers. This threat exploits a series of vulnerabilities, known as “ToolShell,” which allows attackers to gain complete and remote control of systems, bypassing authentication.
Eye Security, a Dutch cybersecurity firm, identified the active exploitation on July 18, 2025, revealing what security researchers describe as one of the fastest transitions from proof of concept to mass exploitation in recent history.
The vulnerability chain combines two critical security flaws, CVE-2025-49706 and CVE-2025-49704 , originally demonstrated at Pwn2Own Berlin 2025 in May by security researchers by CODE WHITE GmbH, a German offensive security company.
The exploit remained dormant until July 15, 2025, when CODE WHITE publicly shared its detailed research findings on social media platforms after Microsoft officially released the patch. Within just 72 hours of public disclosure, threat actors had successfully deployed the exploit for large-scale, coordinated attacks.
Eye Security’s in-depth investigation revealed that attackers began systematic mass exploitation on July 18, 2025, around 6:00 PM Central European Time, initially using the IP address 107.191.58.76. A second distinct wave of attacks emerged from 104.238.159.149 on July 19, 2025, at 7:28 AM CET, clearly indicating a well-coordinated international campaign.
The ToolShell exploit bypasses traditional authentication mechanisms by targeting /_layouts/15/ToolPane.aspx the vulnerable SharePoint endpoint. Unlike conventional web shells designed primarily for command execution, the malicious payload specifically extracts sensitive cryptographic keys from SharePoint servers, including the critical ValidationKey and DecryptionKey materials.
“This was not your typical web shell,” Eye Security researchers explained in their detailed technical analysis. “The attacker turns SharePoint’s inherent trust in its own configuration into a powerful weapon.” Once these cryptographic secrets are successfully obtained, attackers can craft a fully valid __VIEWSTATE payload to achieve full remote code execution, without requiring any user credentials.
The sophisticated attack leverages techniques similar to CVE-2021-28474, exploiting SharePoint’s deserialization and rendering control processes. By obtaining the server’s ValidationKey, attackers can digitally sign malicious payloads that SharePoint automatically accepts as legitimate and trusted input, effectively bypassing all existing security controls and defensive measures.
Eye Security’s comprehensive scan of over 1,000 SharePoint servers deployed worldwide revealed dozens of actively compromised systems in numerous organizations. The cybersecurity firm immediately initiated responsible disclosure procedures, directly contacting all affected organizations and national Computer Emergency Response Teams (CERTs) across Europe and internationally.
Redazione