Agency publishes examination of malicious software associated with Sharepoint Server breach

Agency publishes examination of malicious software associated with Sharepoint Server breach

Headline: Global Wave of ToolShell Attacks Exploits Critical SharePoint Vulnerabilities

The ongoing ToolShell attacks are targeting on-premises Microsoft SharePoint Server versions, exploiting a zero-day vulnerability chain involving two critical vulnerabilities: CVE-2025-53770 and CVE-2025-53771. These attacks have affected thousands of organizations worldwide, with about 13% of cloud environments running vulnerable self-hosted SharePoint components, and 6% of these exposed directly to the internet.

Key Exploited Vulnerabilities

• CVE-2025-53770 (CVSS 9.8) is a critical remote code execution vulnerability caused by insecure deserialization of user-controlled data.
• CVE-2025-53771 (CVSS 6.3) is a spoofing vulnerability via forged Referer headers that bypass authentication.

These two vulnerabilities are bypass variants of previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) and are actively exploited despite Microsoft's July 2025 patches.

Impact and Attack Techniques

Attackers achieve remote code execution and steal cryptographic machine keys, enabling persistent unauthorized access. Post-exploitation, web shells like spinstall0.aspx are deployed to steal keys and maintain access. Newer ToolShell variants employ in-memory payloads, stealthily leaking ASP.NET machine keys without leaving static file artifacts, evading traditional detection.

Multi-factor authentication (MFA) and single sign-on (SSO) controls are bypassed to gain privileged access. Threat actors include China-based groups exploiting these vulnerabilities for ransomware deployment.

Number of Affected Organizations

Thousands of on-premises SharePoint servers worldwide are at risk, with 13% of cloud environments running vulnerable SharePoint components, and 6% of these exposed directly to the internet, representing a large attack surface.

Detection and Defense

Recorded Future provides YARA rules and hunting packages for detecting in-memory ToolShell payloads, which can identify these stealthy attacks. Microsoft shares Indicators of Compromise (IOCs) related to web shell deployment and provides hunting queries for detection of malicious spinstall.aspx files.

CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities Catalog, urging swift remediation to reduce risk. Due to the stealthy, fileless nature of newer ToolShell payloads, reliance on traditional signature or file-based detection is insufficient; memory inspection and anomaly monitoring are recommended.

Additional Information

Dustin Childs, head of threat awareness at Trend Micro Zero Day Initiative, suggested that the vulnerability may have been leaked following its private disclosure as part of the Pwn2Own exploitation contest in May. The malware analysis report from CISA is focused on "ToolShell" attacks targeting specific Microsoft SharePoint Server versions. CISA analyzed six files, including two Dynamic Link-Library (.DLL), one cryptographic key stealer, and three web shells.

In summary, the ToolShell attack chain exploits critical authentication bypass and remote code execution flaws in on-premises SharePoint Server versions, affecting thousands of organizations, with active post-compromise exploitation including persistent web shells and cryptographic key theft. Detection requires the use of specialized in-memory YARA rules and IOCs, complemented by timely patching and mitigation efforts.

Sources: [1][2][3][4][5]

1. Despite Microsoft's patches in July 2025, the ongoing ToolShell attacks are still actively exploiting open source vulnerabilities CVE-2025-53770 and CVE-2025-53771 in SharePoint, affecting thousands of organizations worldwide.
2. The stealthy, fileless nature of newer ToolShell payloads makes reliance on traditional signature or file-based detection insufficient; thus, memory inspection and anomaly monitoring are recommended for cybersecurity defense.
3. In the general news, Dustin Childs, head of threat awareness at Trend Micro Zero Day Initiative, suggested that the vulnerability may have been leaked following its private disclosure, leading to the malware analysis report from CISA on "ToolShell" attacks.
4. The ToolShell attack chain not only exploits critical authentication bypass and remote code execution flaws but also employs AI in its stealthy techniques, such as in-memory payloads to steal crypto keys and maintain access in data-and-cloud-computing environments, raising concerns in the field of cybersecurity and crime-and-justice.

Read also: