SOC Incident Toolkit
Back to Campaigns
SharePoint Under Siege 'ToolShell'

SharePoint Under Siege 'ToolShell'

sharepointCVE-2025-53770CVE-2025-53771CVE-2025-49706toolshell

On July 18, 2025, Eye Security identified active, large-scale exploitation of a new remote code execution (RCE) vulnerability chain, publicly known as "ToolShell", targeting on-premise SharePoint servers worldwide. These vulnerabilities have been assigned CVE identifiers CVE-2025-53770 and CVE-2025-53771 by Microsoft, and CVE-2025-53770 is confirmed as a variant of previously disclosed vulnerability CVE-2025-49706

Indicators of Compromise

Domains (3)

vpn-checkup.comcloudlocker-drop.xyzsecureivantiupdate.net

Hashes (19)

309557948f4c2eb38fae45b4956f711a6ad6ac242a6c26efc0e59aee74d7896b8d3d3f3a17d233bc66a1ee038cc36c72d83c5d3512f240d0894a52e5b2086f853461da3a2ddc6208ec573f232dd5ea964098bd9d12ef84852d95c06b70e4f2cb8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f230955794792a7ce045660bb1e1917eef36f1d5865891b8110bf982382b305b273461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997fd03d881f0b3069f5adec6ae69181899e72fd27b3e75bb9075d0798ed31842747baf220eb89f2a216fcb2d0e9aa021b2a10324f0641caf8b7a9088e4e45bec9566af332ce5f93ce21d2fe408dffd49d4ae31e364d6802fff97d95ed593ff3082390665bdd93a656f48c463bb6c11a4d45b7d5444bdd1d1f7a5879b0f6f9aac7eb39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70f5b60a8ead96703080e73a1f79c3e70ff44df271fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af74a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa8403076746b48a78a3828b64924f4aedca2e4c49b6735fe3a3042890c1f11361368aeb2cc12647a6fdae192bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514d3f6a97c3b3c60baf7ff5d47e1e6cd0c6fc9e5c9b6f1e1f76e6d1f81f401cb8a0a21f7b3f1d09de7cf4a15b3ed4a16aaf42ab72d0ac379dfb3a95f78d34e5f03

IPv4 (45)

139.59.11.66103.151.172.9234.72.225.196141.164.60.10188.130.206.168131.226.2.6206.166.251.22864.176.50.10934.121.207.116134.199.202.20545.191.66.77146.70.165.9483.136.182.23745.87.213.22745.141.56.114182.2.79.16489.46.223.88139.144.199.41154.223.19.10645.77.155.170+25 more

APT Groups

EMISSARY PANDA

APT31

APT27

Mitigation

<font>1. <strong>Enhanced Monitoring via Endpoint Detection and Response (EDR)</strong></font><div><ul><li><font>Use your EDR solutions (e.g., CrowdStrike Falcon) to closely monitor SharePoint server processes, particularly IIS worker processes (<code style="">w3wp.exe</code>), looking for unusual or suspicious behaviors.</font></li><li><font>Configure alerts for file-write activities involving unexpected <code style="">.aspx</code> uploads or modifications.</font><ul><li><font><br> </font><p></p></li></ul></li></ul><div><font><br></font></div></div><div><b><font>2. Log Analysis and Monitoring</font></b></div><div><p></p><ul><li><font>Regularly review IIS logs for anomalous HTTP requests, specifically:</font></li></ul><p></p><pre><div style="text-align: left;"><font> POST /_layouts/15/ToolPane.aspx</font></div><div style="text-align: left;"><font style=""> Referer: /_layouts/SignOut.aspx</font></div><div style="font-size: medium; text-align: left;"><font><br></font></div><div style="font-size: medium; text-align: left;"><font><br></font></div><div style="text-align: left;"><div style=""><font style=""><b style="">3. </b><span style=""><b>Intrusion Prevention System (IPS) and Web Application Firewall (WAF) Rules</b></span></font></div><div style=""><p style=""></p><p></p><p></p><pre style=""></pre><p></p><ul style="box-sizing: inherit;"><li style="box-sizing: inherit;"><p><font>Configure your IPS and WAF rules to block or alert upon:</font></p></li><ul><li><p><font>Unauthenticated POST requests to SharePoint administration endpoints such as <code><b>/layouts/15/ToolPane.aspx</b></code></font></p></li></ul></ul><div><ul><li><font>HTTP requests using suspicious Referer headers, especially <code><b>/layouts/SignOut.aspx</b></code></font></li><li><p><font>Access attempts to anomalous <b>.aspx files </b>(e.g., <b>spinstall0.aspx</b>) or other suspiciously named files dropped by attackers.</font></p></li></ul></div></div><div><b><font><br></font></b></div><div><font><b>4.Isolation and Temporary Mitigation</b></font></div><div><ul><li><font>Immediately isolate exposed SharePoint servers with suspicious activity from public internet access until thorough forensic analysis is completed. </font></li></ul><ul><li><font>Validate your existing Azure AD and hybrid ADFS integrations to ensure there are no configuration weaknesses or outdated protocols.</font></li></ul></div><p></p><p></p><div style="font-family: Roboto, -apple-system, &quot;"><p></p><ul></ul></div></div></pre><pre class="overflow-visible!"><div class="contain-inline-size rounded-2xl relative bg-token-sidebar-surface-primary"><div class="overflow-y-auto p-4"></div></div></pre></div>