A new wave of zero-day attacks—collectively known as ToolShell—is actively targeting Microsoft SharePoint servers, with two vulnerabilities (CVE-2025-53770 and CVE-2025-53771) allowing unauthenticated remote code execution and identity control bypass. First observed in high-value targets across government, critical infrastructure, and manufacturing sectors, the ToolShell exploit chain has since expanded into opportunistic attacks, with early attribution pointing to China-linked threat actors.
The attack chain begins by exploiting a deserialization flaw and a spoofing/path traversal bug to gain unauthenticated access to SharePoint’s ToolPane functionality. Once inside, attackers deploy stealthy ASPX webshells like xxx.aspx and spinstall0.aspx to exfiltrate cryptographic secrets—including ASP.NET MachineKey values—without triggering alerts. In more advanced cases, attackers avoid persistent shell artifacts altogether, using in-memory modules for fileless exploitation and credential theft.
This episode dives into the full lifecycle of the ToolShell attacks:
- How attackers rapidly evolved their tactics after initial Microsoft patches were released
- Why SharePoint 2016 users remain at elevated risk due to the absence of a patch
- Evidence of AMSI evasion, SSO and MFA bypasses, and credential harvesting across victim networks
- Best practices for mitigation: patching, enabling AMSI “Full Mode”, deploying antivirus with EDR, and rotating cryptographic keys
- Why machine key rotation is essential even post-patching to revoke compromised credentials and prevent persistent access
We’ll also discuss the role of SharePoint’s layout endpoints, how logging POST requests to /_layouts/15/ToolPane.aspx can reveal exploitation attempts, and why incident response planning and forensic readiness are now non-negotiable for organizations running on-prem SharePoint.
The ToolShell campaign is a sobering example of how quickly adversaries can pivot in response to public disclosures—and why organizations must treat patching as a race against weaponization. If your infrastructure still relies on SharePoint Server, this is a must-listen breakdown of one of the most sophisticated exploit chains of 2025.
#ToolShell #SharePointZeroDay #CVE202553770 #CVE202553771 #MicrosoftSharePoint #RemoteCodeExecution #ZeroDayExploit #Webshell #MachineKey #CryptographicTheft #AMSI #PatchNow #AdvancedPersistentThreat #Cyberattack #Infosec #ChinaAPT #EDR #SSOBreach #MFABypass #EnterpriseSecurity #ThreatIntel #OnPremSecurity #CyberThreats
