Executive Summary
In July 2025, multiple zero-day vulnerabilities targeting on-premises Microsoft SharePoint Servers have been actively exploited through a sophisticated attack chain named ToolShell. This exploitation campaign, attributed to Chinese state-sponsored actors such as Linen Typhoon, Violet Typhoon, and Storm-2603, combines spoofing, remote code execution, and authentication bypasses to compromise vulnerable systems and achieve persistent access.
The vulnerabilities at the core of this attack chain are:
- CVE-2025-53770 – Insecure deserialization enabling RCE
- CVE-2025-53771 – Path traversal enabling authentication bypass
- CVE-2025-49706 – Network spoofing
- CVE-2025-49704 – Remote code execution
Despite Microsoft’s July security updates, patch bypasses and in-memory payloads have escalated the risk profile significantly. As of late July, hundreds of organizations have been impacted globally, with many still running unpatched or unsupported SharePoint environments.
Threat Overview: The ToolShell Chain
ToolShell is not merely an exploit—it is an evolution of tactics seen in previous campaigns, first publicly demonstrated during Pwn2Own Berlin 2025. It exploits chained vulnerabilities that allow unauthenticated access, remote execution, and post-exploitation persistence.
Key Capabilities:
- Unauthenticated RCE through deserialization
- Stealth in-memory payloads, bypassing file-based detection
- Extraction of cryptographic keys (ValidationKey, DecryptionKey)
- Persistence even after patching, due to stolen keys
- Deployment of ransomware (e.g., Warlock) and .dll-based malware
Recorded Future and Microsoft have confirmed that these attacks leverage advanced TTPs, avoiding traditional .aspx web shells and instead operating through in-memory malware such as osvmhdfl.dll. Notably, attackers use a single HTTP request to exfiltrate sensitive data, making detection challenging.
Detection Challenges
Traditional methods like scanning for web shells or suspicious .aspx uploads are insufficient. Advanced adversaries now:
- Use memory-resident payloads with no static file trace
-
Exploit legitimate SharePoint paths like
/_layouts/SignOut.aspxand/_layouts/15/ToolPane.aspx?DisplayMode=Edit - Embed backdoors as .dll assemblies dynamically loaded via the IIS worker process
Security teams should monitor for:
-
Microsoft Defender alerts such as:
- Exploit:Script/SuspSignoutReq.A
- Trojan:PowerShell/MachineKeyFinder.DA!amsi
- Possible web shell installation
-
Suspicious behavior of
w3wp.exeprocesses -
Unexpected
.NET assembliesloaded by IIS
Immediate Recommendations for CISOs
1. Apply Security Updates
Microsoft has released cumulative July 2025 updates for:
- SharePoint Server 2016: [KB5002760, KB5002759]
- SharePoint Server 2019: [KB5002754, KB5002753]
- SharePoint Subscription Edition: [KB5002768]
Ensure both the main update and the language pack updates are installed.
2. Verify Supported Versions
Only SharePoint 2016, 2019, and Subscription Edition are supported. If using SharePoint 2013 or earlier, disconnect immediately—these versions are end-of-life and inherently insecure.
3. Rotate ASP.NET Machine Keys
Machine keys enable session validation. If stolen, they permit unrestricted access even post-patching.
- Rotate keys before and after patching.
-
Use PowerShell:
powershellCopyEdit
Set-SPMachineKey -WebApplication <WebApp> Update-SPMachineKey -WebApplication <WebApp> iisreset
4. Enable and Configure AMSI (Antimalware Scan Interface)
Full protection requires:
- Defender Antivirus enabled
- AMSI with HTTP Body Scanning in Full Mode
- SharePoint Server 2016/2019 or Subscription Edition
If AMSI cannot be enabled:
- Disconnect the system from public access.
- Alternatively, restrict unauthenticated traffic via a VPN or gateway proxy.
5. Deploy Microsoft Defender for Endpoint
Microsoft Defender offers alerting for:
- Suspicious IIS behavior
- Malware linked to ToolShell
-
Indicators such as
spinstall0.aspxandHijackSharePointServer.A
Advanced Threat Hunting
Utilize Microsoft 365 Defender and Recorded Future’s Malware Intelligence to search for historical compromise indicators. Suggested actions include:
-
Running Advanced Hunting Queries for CVE identifiers:
kustoCopyEdit
DeviceTvmSoftwareVulnerabilities | where CveId in ("CVE-2025-49706", "CVE-2025-53770") -
Investigate the presence of files such as:
-
spinstall0.aspx -
App_Web_spinstall0.aspx.dll -
cve.ps1
-
Use YARA rules and Nuclei templates (provided by Recorded Future) to detect the memory-resident ToolShell payload and vulnerable SharePoint versions. Recorded Future’s sandbox includes sample hashes for cross-reference.
IOC Scanning and Network Activity Monitoring
IP Addresses to Monitor
Microsoft, Eye Security, and CISA have confirmed the following IPs as associated with known ToolShell activity:
107.191.58[.]76 - 104.238.159[.]149 - 96.9.125[.]147 - 34.72.225[.]196 - 45.77.155[.]170 - 141.164.60[.]10 - 188.130.206[.]168 - 206.166.251[.]228 Use SIEM and IDS/IPS systems to:
-
Monitor POST requests to
/_layouts/15/ToolPane.aspx?DisplayMode=Edit -
Track access to
/_layouts/SignOut.aspx - Identify lateral movement post-compromise
Implement CISA’s logging best practices to support forensics and incident response.
Attribution and Strategic Risk
On July 22, 2025, Microsoft formally attributed the exploitation to:
- Linen Typhoon (aka TAG-67)
- Violet Typhoon (aka RedBravo)
- Storm-2603
These groups have a track record of exploiting zero-day and n-day vulnerabilities, and prioritize internet-facing appliances for broad access.
Outlook: The current campaign is likely the initial wave of a prolonged exploitation effort. With the public release of Proof-of-Concept (PoC) code, opportunistic attackers are expected to join the campaign.
Final Recommendations
| Action | Priority |
|---|---|
| Patch all SharePoint servers with July 2025 updates | Critical |
| Enable and verify AMSI + Defender AV integration | Critical |
| Rotate all machine keys and restart IIS | Critical |
| Disconnect EOL systems from the internet | Critical |
| Deploy Microsoft Defender for Endpoint | High |
| Monitor key endpoints and analyze Defender alerts | High |
| Conduct memory-based IOC hunting | High |
| Implement IP blocklists and WAF updates | Medium |
| Migrate to SharePoint Online where feasible | Strategic |
Conclusion
The ToolShell campaign represents a highly advanced, persistent threat targeting a critical component in enterprise environments. CISOs must act decisively and comprehensively, as traditional patching is no longer enough.
Organizations that rely on on-premises SharePoint infrastructure should assume breach, validate their cryptographic integrity, and deploy layered defenses including EDR, AMSI, and threat intelligence feeds.
This is not a one-off event. It is an evolution in adversary strategy—and a stark reminder that defending enterprise environments requires proactive resilience, not reactive remediation.