New “ToolShell” Exploit Targets SharePoint Servers for Full Takeover

FortiGuard Labs has identified a critical new exploit chain dubbed “ToolShell” that is actively being used by multiple threat actors to target on-premises Microsoft SharePoint servers.

This sophisticated attack combines two previously patched vulnerabilities with two fresh zero-day variants to achieve complete remote code execution and system takeover.

The Cybersecurity and Infrastructure Security Agency (CISA) has already added these CVEs to its catalog of Known Exploited Vulnerabilities due to the escalating threat level and active exploitation in the wild.

The ToolShell campaign represents a significant escalation in SharePoint-targeted attacks, leveraging a combination of four distinct vulnerabilities to bypass security measures and establish persistent access to enterprise servers.

Threat actors are exploiting these flaws to deploy sophisticated web shells and reconnaissance tools that provide complete administrative control over compromised systems.

The attack specifically targets Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition, potentially affecting any organization running these platforms.

The severity has been classified as critical due to the potential for complete system compromise and the active exploitation being observed across multiple threat actor groups.

The attack utilizes two primary tools for post-exploitation activities. The first, GhostWebShell, is a sophisticated ASP.NET web shell designed for remote code execution and persistent access.

This tool embeds a Base64-encoded ASP.NET page that exposes a command parameter, allowing attackers to execute arbitrary system commands through “cmd.exe /c” operations.

The second component, KeySiphon, focuses on reconnaissance and credential harvesting.

This tool fingerprints the compromised host by collecting system information including logical drives, machine name, CPU specifications, and operating system details.

Most critically, KeySiphon extracts application validation and decryption keys, enabling attackers to forge authentication tokens and manipulate protected data.

Fortinet has released comprehensive protections against the ToolShell campaign. The FortiGuard Antivirus service detects and blocks the malware components, while an IPS signature “MS.SharePoint.ToolShell.Remote.Code.Execution” provides network-level protection.

Organizations are advised to implement rapid patching, layered network detection, and rigorous log monitoring to close exposure windows.

The ToolShell campaign demonstrates the continued high-value targeting of SharePoint infrastructure by sophisticated threat actors.

With active exploitation accelerating and multiple zero-day vulnerabilities involved, immediate patching and enhanced monitoring are essential for organizational security.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now