Urgent Alert: New ‘ToolShell’ Exploit Actively Compromising Microsoft SharePoint Servers

Urgent Alert: New ‘ToolShell’ Exploit Actively Compromising Microsoft SharePoint Servers

Urgent Alert: New ‘ToolShell’ Exploit Actively Compromising Microsoft SharePoint Servers

Urgent Alert: New 'ToolShell' Exploit Actively Compromising Microsoft SharePoint Servers
Image from CyberSecurityNews

Organizations worldwide are urged to immediately patch their Microsoft SharePoint servers following the discovery of a critical new zero-day vulnerability, dubbed “ToolShell,” which is being actively exploited in widespread attacks. This sophisticated campaign allows attackers to gain complete, unauthenticated remote code execution (RCE) and full control over vulnerable systems.

Dutch cybersecurity firm Eye Security identified the active exploitation on July 18, 2025, noting an unprecedented speed from initial proof-of-concept to mass weaponization. The “ToolShell” exploit chain (CVE-2025-49706 and CVE-2025-49704) was publicly detailed on July 15, 2025, by CODE WHITE GmbH, and within just 72 hours, threat actors launched coordinated attacks, with a second distinct wave emerging on July 19, 2025.

Unlike typical web shells, the “ToolShell” exploit specifically targets SharePoint’s `/_layouts/15/ToolPane.aspx` endpoint to steal sensitive cryptographic keys, including ValidationKey and DecryptionKey materials. This allows attackers to craft legitimate-looking payloads, bypassing all security controls and achieving persistent access that survives patching.

Microsoft has acknowledged the active threat, assigning a new CVE identifier (CVE-2025-53770) and releasing urgent security patches as part of their July 2025 security updates. Affected versions include SharePoint Server 2016, 2019, and Subscription Edition. Microsoft emphasizes that immediate patching is the only mitigation.

Crucially, organizations must understand that applying the patch will not remove attackers who have already compromised their systems. Eye Security’s scans have already revealed dozens of compromised servers. Therefore, in addition to patching, organizations must conduct thorough compromise assessments, scan for indicators of compromise (IoCs) like the identified malicious IPs (107.191.58.76, 104.238.159.149), and implement robust detection mechanisms to ensure attackers are fully expelled.

阅读中文版 (Read Chinese Version)

Disclaimer: This content is aggregated from public sources online. Please verify information independently. If you believe your rights have been infringed, contact us for removal.