Security researchers and national Computer Emergency Response Teams (CERTs) worldwide issued urgent alerts on July 19-20, 2025, regarding active exploitation of critical vulnerabilities in on-premise SharePoint servers.
The attack campaign, dubbed “ToolShell,” exploits a chain of five interconnected vulnerabilities that allow attackers to gain complete control of unpatched servers without authentication.
The Vulnerability Chain and Initial Response
The ToolShell attack leverages two primary vulnerabilities: CVE-2025-49704, an untrusted data deserialization flaw, and CVE-2025-49706, a spoofing vulnerability that bypasses authentication mechanisms.
The exploitation targets the “/_layouts/15/ToolPane.aspx” endpoint, utilizing a logic bug in SharePoint’s PostAuthenticateRequestHandler method that can be triggered when the HTTP “Referrer” header equals specific sign-out page paths.
Kaspersky’s analysis revealed that widespread exploitation began on July 18, 2025, affecting government, finance, manufacturing, forestry, and agriculture sectors across Egypt, Jordan, Russia, Vietnam, and Zambia.
The company’s telemetry data indicates that attackers utilized a straightforward POST request containing malicious XML markup that exploits unsafe deserialization via the ExcelDataSet control.
Microsoft initially released patches on July 8, 2025, but researchers discovered these fixes were incomplete.
The authentication bypass (CVE-2025-49706) could be circumvented by simply adding a forward slash to the ToolPane.aspx path, leading to the identification of CVE-2025-53771.
Similarly, the deserialization vulnerability fix required manual configuration updates that many administrators likely missed, prompting CVE-2025-53770.
Technical Exploitation Details and Broader Implications
The attack exploits SharePoint’s integrated IIS authentication mode, manipulating authentication flags to bypass security checks.
The malicious payload employs the well-known ExpandedWrapper technique for .NET XML deserialization attacks, placing malicious objects within lists to circumvent Microsoft’s XmlValidator protections.
Notably, security experts identified striking similarities between ToolShell and the 2020 CVE-2020-1147 vulnerability, with exploits being nearly identical except for the list placement technique.
This suggests the current vulnerabilities represent an evolution of previously known attack vectors rather than entirely novel exploitation methods.
Microsoft released comprehensive patches on July 20, 2025, addressing both the authentication bypass (CVE-2025-53771) and implementing proper XML validation (CVE-2025-53770).
The updated fixes include allowlisting specific paths for sign-out referrers and enhanced type validation in the XmlValidator component.
Security researchers warn that, despite available patches, ToolShell attacks will likely persist for years, much like other notorious vulnerabilities, such as EternalBlue and PrintNightmare.
Organizations must prioritize rapid patch deployment, as the exploit’s simplicity and public availability make unpatched systems extremely vulnerable to compromise.
 worldwide issued urgent alerts.){kind=link}