Organizations about an active campaign targeting Microsoft SharePoint servers using a sophisticated exploit chain dubbed “ToolShell.”
The attacks combine previously patched vulnerabilities with new zero-day exploits to achieve complete remote control of enterprise systems, prompting CISA to add the associated CVEs to its catalog of Known Exploited Vulnerabilities.
The ToolShell campaign leverages a dangerous combination of four vulnerabilities affecting Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
Threat actors are chaining together two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) with two fresh zero-day variants (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution capabilities.
The attack begins with simple reconnaissance commands, including CURL and PowerShell scripts designed to upload system configuration information to remote servers controlled by the attackers.
This initial probing allows threat actors to map target environments and identify vulnerable SharePoint installations before launching more sophisticated payloads.
Security experts note that exploitation in the wild is accelerating beyond the known attack vector using “spinstall0.aspx,” indicating that multiple threat actors have weaponized these vulnerabilities.
The critical severity rating reflects the potential for attackers to gain complete administrative control over affected SharePoint servers, which often contain sensitive corporate data and serve as gateways to broader network infrastructure.
ToolShell Exploit Chain
Once initial access is gained, attackers deploy sophisticated web shells designed for long-term persistence and remote command execution.
The primary tool, dubbed “GhostWebShell,” represents a significant advancement in post-exploitation techniques specifically tailored for SharePoint environments.
GhostWebShell operates by embedding a Base64-encoded ASP.NET page that exposes a command parameter allowing attackers to execute arbitrary system commands remotely.
The malicious code captures both standard output and error messages, providing attackers with interactive console access over HTTP connections. This effectively transforms the compromised SharePoint server into a remotely accessible command shell.
To evade detection in precompiled SharePoint environments, the web shell employs advanced techniques including temporary manipulation of internal BuildManager flags through reflection.
It bypasses standard application precompilation checks and registers a custom VirtualPathProvider, enabling fileless-style operation by injecting malicious pages from memory rather than disk-based files.
Data Harvesting Capabilities
The attack toolkit includes a second component called “KeySiphon,” designed for extensive reconnaissance and credential harvesting.
FortiGuard Labs has released IPS signatures and blocked known indicators of compromise, while security teams should prioritize log review and network monitoring to identify potential intrusions.
This module systematically fingerprints compromised systems, collecting detailed information about logical drives, machine specifications, system directories, CPU configurations, uptime data, user accounts, and operating system versions.
More critically, KeySiphon extracts sensitive cryptographic keys from SharePoint applications by accessing the private “MachineKeySection.GetApplicationConfig()” method.
These stolen validation and decryption keys enable attackers to forge authentication tokens, manipulate ViewState data for deserialization attacks, and decrypt protected information within the application domain.
Organizations are urged to immediately apply available security patches and implement layered detection mechanisms.
The active exploitation of these vulnerabilities demonstrates that SharePoint servers remain high-value targets requiring immediate attention from enterprise security teams.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
