CISA Warns of “ToolShell”: Critical Exploit Chain Hits SharePoint Servers, Bypasses Authentication

The Cybersecurity and Infrastructure Security Agency (CISA) has released an in-depth Malware Analysis Report warning of a sophisticated exploitation campaign targeting on-premises Microsoft SharePoint servers. The exploit chain—dubbed ToolShell—leverages multiple zero-day and known vulnerabilities to install stealthy webshells, extract cryptographic secrets, and gain persistent remote access.

According to CISA, threat actors have successfully chained the following CVEs to compromise SharePoint environments:

• CVE-2025-49706 (Improper Authentication): A network spoofing vulnerability.
• CVE-2025-49704 (Code Injection): A remote code execution (RCE) flaw.
• CVE-2025-53770 (Deserialization of Trusted Data): Used to bypass previous mitigations.
• CVE-2025-53771 (Improper Authentication): Exploitation not confirmed by Microsoft but deemed likely by CISA.

“According to Microsoft, cyber threat actors have chained CVE-2025-49706 and CVE-2025-49704 in an exploit chain known as ‘ToolShell’ to gain unauthorized access to on-premise SharePoint servers,” CISA reports. Even though CVE-2025-53771 has not been confirmed exploited, CISA assesses that it “can be chained with CVE-2025-53770 to bypass previously disclosed vulnerabilities.”

CISA analyzed six malicious files, including .NET DLLs and ASPX webshells designed for credential theft, system reconnaissance, and command execution.

• The DLLs (osvmhdfl.dll and bjcloiyq.dll) use reflection to access MachineKeySection and extract cryptographic keys like ValidationKey and DecryptionKey.
• ASPX files such as spinstall0.aspx and info3.aspx are used to output the machine key information and deploy malicious payloads via PowerShell.
• The webshells (spinstallp.aspx, spinstallb.aspx) implement a wide range of backdoor capabilities—allowing command execution, cookie manipulation, and file uploads.

These ASPX webshells are capable of setting and retrieving HTTP cookies, executing PowerShell commands, and saving files to disk, enabling full command-and-control capabilities.

CISA has provided YARA and SIGMA rules to help organizations detect the encoded DLLs and ASPX webshell activity. The threat actors behind ToolShell utilized legitimate user agents and masqueraded traffic under normal HTTP requests to evade detection.

One SIGMA rule specifically targets the new ToolShell component dubbed SharpyShell, which “extracts and leaks cryptographic secrets from the SharePoint server using a simple GET request.”

Although attribution remains unconfirmed, multiple threat actors—including Linen Typhoon, Violet Typhoon, and Storm-2603—are suspected of exploiting these vulnerabilities in recent campaigns. The attack chain poses a high risk to organizations relying on outdated or unpatched SharePoint servers.

CISA urges organizations to:

• Apply Microsoft’s security updates and guidance
• Inspect logs for IOCs and anomalous PowerShell activity
• Deploy the shared YARA and SIGMA rules for early detection
• Audit machine key configurations and restrict outbound access from SharePoint servers

Related Posts:

• Chinese Hackers Suspected in Ivanti CSA Attacks: Webshells and Lateral Movement Detected Sources and related content
• ToolShell: New SharePoint RCE Zero-Day Chain Under Active Global Exploitation
• CVE-2024-38094 Exploited: Attackers Gain Domain Access via Microsoft SharePoint Server
• Microsoft’s September Patch Tuesday: A Patchwork of Urgency with 4 Zero-Days Under Attack

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy