ToolShell Campaign: New SharePoint Zero-Day (CVE-2025-53770) Triggers Widespread Exploitation

[Update] October 23, 2025: Broader Exploitation of ToolShell Vulnerability by Chinese Threat Actors

[Update] August 5, 2025: 4L4MD4R Ransomware Campaign Targeting SharePoint ToolShell Flaws

[Update] July 25, 2025: Warlock Ransomware Deployed via ToolShell Exploits; Over 420 Vulnerable SharePoint Servers Identified

[Update] July 23, 2025: Confirmed attribution to Chinese threat groups, breach of the U.S. nuclear agency, and insights into China’s limited SharePoint exposure.

[Update] July 22, 2025: Added details on threat actor attribution and PoC exploit availability. Updated IoCs with new community-sourced indicators.

A critical zero-day vulnerability in Microsoft SharePoint, identified as CVE-2025-53770, is actively being exploited in targeted attacks. Threat actors are bypassing authentication, gaining remote code execution capabilities, and establishing persistent access using stolen cryptographic keys.

This follows the recent disclosure of the ToolShell exploit chain, which combined two SharePoint flaws to enable unauthenticated remote access. Now, with a new vulnerability being actively exploited in a similar fashion, concerns are escalating for organizations running on-premise SharePoint environments.

If your organization operates on-prem SharePoint servers, particularly those exposed to the internet, this is a priority threat. This blog breaks down CVE-2025-53770 in detail, clarifies its connections to other recent vulnerabilities, and outlines actionable mitigation steps.

What is CVE-2025-53770?

CVE-2025-53770 (CVSS 9.8) is a critical Remote Code Execution (RCE) vulnerability in Microsoft SharePoint Server caused by insecure deserialization of untrusted data. This flaw allows attackers to execute arbitrary commands remotely, without needing to authenticate.

It builds on a previously disclosed issue, initially patched by Microsoft in the July 2025 Patch Tuesday update. However, real-world attacks revealed gaps in that fix. CVE-2025-53770 is identified as a more severe variant, prompting Microsoft to issue a second patch with stronger safeguards.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) Catalog. Federal agencies must apply the patch by July 21, 2025. CISA is also working with Microsoft to identify and notify impacted organizations.

CVE-2025-53771: A Related SharePoint Spoofing Vulnerability

Microsoft recently also disclosed a separate but related spoofing vulnerability in SharePoint, CVE-2025-53771 (CVSS 6.3),which stems from improper limitation of pathnames.

How Are Attackers Exploiting CVE-2025-53770?

As news of CVE-2025-53770’s exploitation surfaced, it followed closely on the heels of active attacks involving older SharePoint bugs. Security researchers warned of the campaign, dubbed ToolShell, that chains CVE-2025-49706 (authentication bypass) and CVE-2025-49704 (code injection) to achieve unauthenticated RCE.

CVE-2025-53770 appears to take advantage of similar trust boundaries and internal behaviors..

In CVE-2025-53770’s case, exploitation begins with deserialization of malicious input. Attackers then extract ASP.NET MachineKeys from the server, specifically the ValidationKey and DecryptionKey, and use them to craft forged __VIEWSTATE payloads. These payloads are accepted as legitimate by SharePoint, allowing attackers to maintain access and run arbitrary commands without detection.

Keep your security team informed with SOCRadar’s Cyber Threat Intelligence module, delivering real-time updates on exploited vulnerabilities and active cyberattack campaigns. With Vulnerability Intelligence, you get prioritized alerts based on emerging exploit trends, enabling faster detection and smarter patching before attackers gain the upper hand.

How Is CVE-2025-53770/CVE-2025-53771 Connected to Other SharePoint Vulnerabilities?

According to Microsoft, both CVE-2025-53770 and CVE-2025-53771 relate to earlier vulnerabilities (CVE-2025-49704 and CVE-2025-49706), which could be chained for RCE, in an attack called the ToolShell exploit. In detail, Microsoft first addressed the flaws under CVE-2025-49706 and CVE-2025-49704. However, as attackers discovered ways to bypass those fixes, the company assigned two new CVEs, CVE-2025-53770 and CVE-2025-53771, which represent variants of the original issues.

Some public reports suggest CVE-2025-53770 may have been chained with CVE-2025-53771 or even reused aspects of CVE-2025-49706, but there’s no definitive consensus. While blog posts from multiple security firms mention both newer CVEs in the context of ongoing exploitation, researchers have stated they cannot independently verify the chaining mechanisms.

What Is the ToolShell Exploit Chain?

Microsoft had released emergency patches for the two critical SharePoint vulnerabilities, CVE-2025-49706 and CVE-2025-49704; these were first discovered at the Pwn2Own Berlin contest.

• CVE-2025-49706 (CVSS 6.5): An authentication bypass in SharePoint’s ToolPane.aspx endpoint that exploits HTTP Referer header manipulation. It allows unauthenticated access to protected resources with a single malicious request.
• CVE-2025-49704 (CVSS 8.8): A code injection flaw that enables attackers with Site Owner privileges to execute arbitrary code due to inadequate input validation.

Together, these vulnerabilities form the ToolShell chain, allowing unauthenticated attackers to escalate privileges and achieve full RCE. The name ToolShell was coined by security researcher Khoa Dinh, who discovered the issue and highlighted the exploit’s minimal request requirement.

ToolShell allows attackers to:

1. Skip all authentication checks
2. Retrieve and weaponize cryptographic keys
3. Sign malicious payloads that execute within SharePoint’s trusted context

The ToolShell exploit that combines these vulnerabilities was discovered on July 18, and cybersecurity researchers confirmed the exploitation on July 19, 2025. Reports vary slightly, with at least 54 distinct organizations, across different sectors, known to have been affected.

One case of exploitation, confirmed by Unit42, involved payload drops via PowerShell and theft of machine keys. Attackers have been observed targeting organizations globally, loading custom .NET modules using IP 96.9.125[.]147.

Who Is Affected?

Systems vulnerable to CVE-2025-53770 include:

• SharePoint Server 2016 (pre-KB5002744)
• SharePoint Server 2019 (pre-KB5002741)
• SharePoint Subscription Edition (pre-16.0.18526.20424)

Only on-premise instances are vulnerable. SharePoint Online (Microsoft 365) is unaffected due to different authentication and data serialization mechanisms.

Is There a PoC Exploit Available?

Yes, a Proof-of-Concept (PoC) exploit for CVE-2025-53770 is now publicly available on GitHub. Its release lowers the technical bar for both state-sponsored and financially motivated threat actors to exploit the vulnerability at scale.

As thousands of SharePoint servers remain exposed online, experts expect widespread exploitation to intensify. So far, confirmed targets have included energy providers, Asian telecommunications firms, academic institutions, and multiple government agencies.

How Many SharePoint Servers Are Exposed?

A Shodan scan reveals over 16,000 publicly exposed SharePoint servers worldwide. The majority are located in the United States (3,960), followed by Iran (2,488), Malaysia (1,445), the Netherlands (759), and Ireland (645).

Additionally, a collection of server data was shared on GitHub by Gregory Boddin, listing IP addresses and hostnames believed to be affected. While unverified, the list includes government and private sector domains across multiple regions, further illustrating the broad exposure of vulnerable SharePoint servers.

Who’s Behind the ToolShell Exploits?

Emerging analysis has linked the initial ToolShell exploitation campaign to a China-based threat actor. According to experts at Google Cloud’s Mandiant Consulting, at least one China-nexus group was responsible for some of the earliest attacks, though multiple actors have since taken advantage of the vulnerability chain.

Security firms have identified at least three waves of activity tied to ToolShell. The first wave, observed as early as July 17 (before public disclosures), targeted high-value sectors such as critical infrastructure, manufacturing, and government agencies. Subsequent waves appear to be more opportunistic, suggesting a widening pool of actors exploiting vulnerable systems.

China-Linked Threat Groups Identified

New findings have confirmed that several Chinese state-sponsored hacking groups (namely Linen Typhoon, Violet Typhoon, and Storm-2603) are actively exploiting SharePoint vulnerabilities as part of the ongoing ToolShell campaign.

Microsoft assesses with high confidence that these groups were behind the earliest waves of attacks, starting as early as July 7. Exploitation methods include reconnaissance and a forged POST request to the ToolPane.aspx endpoint, followed by malicious web shell deployment and theft of MachineKey values to maintain persistence.

China’s Limited SharePoint Exposure

Interestingly, despite being a source of widespread exploitation, China has minimal exposure to public-facing SharePoint servers. Shodan data shared by @UK_Daniel_Card on the X platform highlights the contrast between China’s external targeting activities and its own limited attack surface.

Incomplete Fix Left Systems Exposed

Reuters criticized that despite being aware of the issue, Microsoft’s initial fix left systems vulnerable to exploitation, an oversight that enabled a sweeping global cyberespionage campaign.

The timeline referenced by the news outlet highlighted missed opportunities for early containment. The vulnerability was first demonstrated by a researcher at Viettel Cyber Security during the Pwn2Own contest in May, who earned a $100,000 bounty for exposing the flaw, dubbed “ToolShell.” But exploitation surged soon after Microsoft’s July 8 patch, with attackers reportedly bypassing it to compromise thousands of servers.

The news report also pointed to the broader implications of such lapses, especially given Microsoft’s past scrutiny over its handling of state-sponsored intrusions. As with the 2023 Exchange hack attributed to Chinese actors, questions around timely remediation and vendor responsibility have resurfaced.

Among the recent confirmed victims is the U.S. National Nuclear Security Administration (NNSA). While no classified information was reportedly accessed, the breach highlights the serious risks posed by these vulnerabilities. The broader campaign has affected approximately 100 organizations across sectors such as energy, finance, academia, and telecommunications.

Additional confirmed intrusions include the U.S. Department of Education, Florida’s Department of Revenue, the National Institutes of Health (NIH), and the Rhode Island General Assembly. Several European and Middle Eastern government networks have also reportedly been compromised.

Warlock Ransomware Deployed via ToolShell Exploits

New threat intelligence confirms that Storm-2603, a China-based actor previously linked to the ToolShell exploit chain, is now using these SharePoint vulnerabilities to deploy Warlock ransomware. Microsoft observed this activity beginning on July 18.

After initial access, the group extracts credentials using Mimikatz, then moves laterally within networks via PsExec, WMI, and tools from the Impacket framework. Group Policy Objects (GPOs) are modified to distribute the ransomware payload across targeted systems.

Microsoft has updated its article to reflect the ransomware deployment and has revised its mitigation instructions. The updated guidance stresses the importance of restarting IIS after applying patches, in addition to earlier recommendations.

4L4MD4R Ransomware Campaign Targeting SharePoint ToolShell Flaws

Researchers are investigating a 4L4MD4R ransomware campaign exploiting Microsoft SharePoint ToolShell vulnerabilities.

Attributed to non-state actors, the attackers deploy a loader that downloads the ransomware from attacker-controlled infrastructure after disabling Windows Defender monitoring and bypassing certificate validation via PowerShell commands.

The ransomware, linked to the open-source Mauri870 family, is designed to encrypt files and demand Bitcoin payments.

Full technical analysis, including indicators of compromise, is available in Unit 42’s report.

Broader Exploitation of ToolShell Vulnerability by Chinese Threat Actors

New findings from Symantec reveal that the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint has been exploited in a wide-ranging campaign across multiple regions and sectors.

The attacks, attributed to China-linked groups including Salt Typhoon, targeted government, telecom, finance, and education organizations in the Middle East, Africa, South America, Europe, and the U.S.

Researchers’ analysis shows that attackers used CVE-2025-53770 to install webshells, deploy the Zingdoor backdoor, and later drop ShadowPad, KrustyLoader, and the Sliver framework through DLL side-loading. They also leveraged tools like PetitPotam, ProcDump, and Revsocks for credential theft and persistence.

The findings suggest ToolShell’s exploitation extends beyond the groups Microsoft initially identified, underscoring its continued relevance in global espionage operations.

Further technical details and related Indicators of Compromise (IOCs) are available on the research blog.

Does Patching Remove the Threat Completely?

Patching stops future exploitation routes but does not revoke access already gained by attackers. This is because Microsoft’s updates do not rotate the cryptographic keys attackers have stolen, specifically those used to sign __VIEWSTATE payloads. Without key rotation, malicious payloads remain valid, and attackers can continue to leverage stolen credentials and keys even after patching.

Moreover, because SharePoint is integrated with Microsoft platforms such as Teams, OneDrive, and Outlook, an initial breach can enable attackers to move laterally across the entire Microsoft ecosystem.

Identify vulnerable and exposed assets in your environment with SOCRadar’s Attack Surface Management. Continuously scanning your external footprint, ASM uncovers hidden attack paths and tracks emerging exploits targeting your systems, helping you stay proactive in defending against ongoing cyber threats and reducing your risk of compromise.

Mitigation and Response Guide

Given the scope and sophistication of this campaign, immediate action is essential. Here’s a step-by-step mitigation checklist:

• Apply Microsoft’s July 2025 patches for CVE-2025-53770 and CVE-2025-53771.
• Rotate ASP.NET MachineKey values (ValidationKey, DecryptionKey) on all SharePoint servers.
• Restart IIS services after rotation to ensure key changes take effect.
• Enable AMSI integration and confirm that Defender Antivirus is up-to-date.
• Use Microsoft Defender for Endpoint or equivalent endpoint detection tools for visibility.
• Disconnect vulnerable servers from the internet if AMSI is not available.
• Disable __VIEWSTATE where not needed for application functionality.
• Review all SharePoint server file directories, focusing on unexpected .aspx files or scripts.
• Check logs for anomalous HTTP activity, especially against /ToolPane.aspx.
• Initiate a full incident response investigation, including identity audits and lateral movement detection.

Known Indicators of Compromise (IoCs)

Security teams should search for the following indicators as they are related to CVE-2025-53770 and associated SharePoint exploitation activity:

Critical Malicious Files

• spinstall0.aspx – Primary web shell for MachineKey extraction
  SHA256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
• debug_dev.js – PowerShell command output storage file
• info3.aspx – Alternative web shell name (observed by Sophos)

File System Paths

• C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions16TEMPLATELAYOUTSspinstall0.aspx
• C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions15TEMPLATELAYOUTSspinstall0.aspx

8.3 Short Name Variants of File Paths

• C:PROGRA~1COMMON~1MICROS~1WEBSER~116TEMPLATELAYOUTSspinstall0.aspx
• C:PROGRA~1COMMON~1MICROS~1WEBSER~115TEMPLATELAYOUTSspinstall0.aspx

Additional Related Files

• debug_dev.js and info3.aspx under the same LAYOUTS directories

IP Addresses

• 107.191.58[.]76
• 104.238.159[.]149
• 96.9.125[.]147
• 103.186.30[.]186
• 45.77.155[.]170
• 139.144.199[.]41
• 172.174.82[.]132 (Azure cloud IP, suspicious activity July 16)

Network and HTTP Indicators

Exploitation request POST path: 

/_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx

Critical HTTP Referer header during exploit:

/_layouts/SignOut.aspx

Subsequent GET request to retrieve crypto dumper:

/_layouts/15/spinstall0.aspx

User-Agent strings used in active attacks:

• Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
• URL-encoded: Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0

Abnormal or anomalous __VIEWSTATE payloads, including unexpected size or malformed signatures.

Key SHA256 Hashes

Primary web shell:

• 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514

Supporting .NET modules (Unit42/ Eye Security):

• 4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030
• b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70
• fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7
• 390665bdd93a656f48c463bb6c11a4d45b7d5444bdd1d1f7a5879b0f6f9aac7e
• 66af332ce5f93ce21d2fe408dffd49d4ae31e364d6802fff97d95ed593ff3082
• 7baf220eb89f2a216fcb2d0e9aa021b2a10324f0641caf8b7a9088e4e45bec95

Web shell compiled binary:

• 8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2

Additional payload:

• 30955794792a7ce045660bb1e1917eef36f1d5865891b8110bf982382b305b27

IIS Log Signatures (Anonymized Example)

• POST request to ToolPane.aspx with DisplayMode=Edit and query a=/ToolPane.aspx
• Referer header /_layouts/SignOut.aspx
• Immediate GET request to /_layouts/15/spinstall0.aspx
• HTTP response status codes sequence: 302 (redirect) followed by 200 (success)

Proactive threat hunting and thorough forensic analysis are essential to uncover stealthy post-exploitation activity.

Timeline of Discovery and Exploitation

• July 8, 2025 – Microsoft releases patches for CVE-2025-49704 and CVE-2025-49706.
• July 18, 2025 – Researchers begin observing active exploitation chaining CVE-2025-49706 and CVE-2025-49704; the campaign is dubbed ToolShell.
• July 19, 2025 – MS-ISAC issues an advisory confirming widespread exploitation of the ToolShell vulnerabilities. Microsoft also discloses CVE-2025-53770 and releases initial guidance.
• July 20, 2025 – CVE-2025-53771, a related spoofing flaw, is also disclosed and patched by Microsoft.
• July 20, 2025 – CISA adds CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) Catalog.
• July 22, 2025 – Microsoft and Mandiant attribute early exploitation to China-linked actors (Linen Typhoon, Violet Typhoon, Storm-2603).
• July 23, 2025 – Microsoft confirms Storm-2603 has deployed Warlock ransomware using the vulnerabilities. Shadowserver identifies 424 vulnerable SharePoint servers still exposed.