In a rapidly unfolding cyber threat campaign, multiple Chinese state-sponsored groups have been observed actively exploiting a critical vulnerability in Microsoft SharePoint, designated CVE-2025-53770. This unauthenticated remote code execution flaw, dubbed “ToolShell,” is part of a sophisticated exploit chain targeting publicly exposed, on-premises SharePoint servers. Despite Microsoft issuing emergency patches, ongoing exploitation highlights the partial effectiveness of the initial fixes and underscores the urgency for affected organizations to implement layered defense strategies.
ToolShell Exploit Chain Abuses Legacy SharePoint Endpoints to Bypass Authentication
First disclosed in July 2025, CVE-2025-53770 has a CVSS score of 9.8 and affects SharePoint Server 2016, 2019, and Subscription Edition. According to analysis from Ars Technica and Ampcus Cyber, attackers have taken advantage of legacy ASP.NET logic in the `/layouts/15/ToolPane.aspx` endpoint, exploiting insecure deserialization routines and broken authentication logic.
The exploit chain, now widely referred to as ToolShell, includes the following stages:
- Authentication Bypass : Attackers craft unauthenticated POST requests to ToolPane.aspx with manipulated `Referer` headers.
- Arbitrary File Upload : By targeting serialization flaws, attackers upload unauthorized web shells (e.g., `spinstall0.aspx`) to the SharePoint server.
- Cryptographic Key Theft : Once embedded, the shell harvests ASP.NET machine keys such as `ValidationKey` and `ValidationAlgorithm`, enabling token forgery.
- Remote Code Execution (RCE) : Using tools like ysoserial, attackers generate malicious ViewState payloads signed with the stolen keys, achieving persistent RCE without interacting with the system post-compromise.
Vulnerable Systems Targeted Prior to Patch Availability
Microsoft’s investigation revealed that exploitation occurred as early as July 7, 2025—well before the official Patch Tuesday release. Emergency patches were issued on July 19-20, but analysis from Alchemy Tech Group and Imperva confirmed that initial mitigations were incomplete for some product versions, particularly SharePoint Server 2016. Exploitation resumed post-patch using bypass techniques that sidestepped existing protections.
Censys and GreyNoise observed a surge in suspicious requests from Azure cloud infrastructure to the vulnerable ToolPane endpoint as early as July 16, further confirming that this was indeed a zero-day attack in the wild.
Chinese APT Groups Lead Targeted Exploitation Globally
Three Chinese government-linked advanced persistent threat (APT) groups—Linen Typhoon, Violet Typhoon, and the newly identified Storm-2603—have been connected to ToolShell exploitation campaigns. According to Imperva and Ars Technica, the attackers successfully breached dozens of networks across various sectors. One high-profile victim includes the U.S. National Nuclear Security Administration.
Kaspersky’s Global Research and Analysis Team noted global exploitation attempts spanning Egypt, Vietnam, Zambia, Jordan, and Russia. Their telemetry detected malware propagation and shell deployment even before CVE-2025-53770 was officially made public. Kaspersky researchers pointed out that CVE-2025-53770 appears to address flaws that were insufficiently patched in CVE-2020-1147, dating back to 2020.
Active Exploitation Possible Without User Interaction
One of the defining characteristics of ToolShell is that it enables unauthenticated RCE without any user involvement. Field Effect and Mishcon de Reya highlighted that attackers can use crafted HTTP requests to achieve deep access into enterprise environments. Once inside, attackers exfiltrate sensitive data, spread ransomware, and move laterally across networks.
Targeted data includes:
- Classified business documentation
- Proprietary intellectual property and R&D
- Confidential trading algorithms
- Patient records and healthcare data
These campaigns have affected critical infrastructure sectors including government, healthcare, manufacturing, and finance. Imperva reported over 60,000 attack attempts in a single day, with more than half targeting U.S. infrastructure, particularly in the gaming and financial domains.
Recommendations for Immediate Remediation and Detection
Organizations operating on-premises Microsoft SharePoint servers—especially versions 2016 and 2019—are strongly urged to take immediate defensive measures. Recommendations compiled from Microsoft, CISA (Cybersecurity and Infrastructure Security Agency), and several cybersecurity vendors include:
- Apply all emergency patches released after July 19, 2025, especially for SharePoint 2019 and Subscription Edition.
- Manually review your infrastructure : SharePoint 2016 remains unpatched and is still vulnerable.
- Rotate ASP.NET machine keys on all affected systems to prevent continued token forgery.
- Enable AMSI (Antimalware Scan Interface) to detect malicious payload execution.
- Scan for known web shells , such as `spinstall0.aspx`, and review for unusual processes linked to legacy ASP.NET pages.
- Monitor network logs for POST requests to `/layouts/15/ToolPane.aspx` related to spoofed `Referer` headers.
Additionally, security teams should incorporate detection rules for ysoserial payloads and closely monitor for anomalous ViewState deserialization activity.
Conclusion
The ToolShell vulnerability in Microsoft SharePoint underscores the continued challenge of securing enterprise software against complex and persistent threat actors. Rapid exploitation by Chinese threat groups, even after patch deployment, reveals a critical gap in modern patch management efficacy—particularly when incomplete fixes leave legacy components exposed.
Organizations must adopt a defense-in-depth approach that combines prompt patching with behavioral detection, cryptographic hygiene, and surface minimization to defend against evolving remote code execution threats. As exploitation continues against unpatched systems, defenders should remain vigilant for lateral movement, persistence mechanisms, and credential harvesting linked to compromised SharePoint environments.
