ToolShell Exploit Chain Attacking SharePoint Servers to Gain Complete Control
A critical new threat targeting Microsoft SharePoint servers through a sophisticated exploit chain dubbed “ToolShell.”
This multi-stage attack combines previously patched vulnerabilities with fresh zero-day exploits to achieve complete system compromise, affecting SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
Key Takeaways
1. ToolShell exploits four SharePoint CVEs (two patched, two zero-days) for complete system control
2. Deploys advanced web shells for remote command execution and cryptographic key theft
3. Patch immediately and implement detection systems to block active attacks
Vulnerability Chain Targets SharePoint Infrastructure
The ToolShell campaign leverages a dangerous combination of four CVEs to establish remote code execution capabilities.
Threat actors are exploiting two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) alongside two newly discovered zero-day variants (CVE-2025-53770 and CVE-2025-53771).
The Cybersecurity and Infrastructure Security Agency (CISA) has already added these CVEs to its Known Exploited Vulnerabilities catalog, highlighting the severity of this threat.
Initial reconnaissance involves attackers using simple CURL and PowerShell commands to probe target systems and extract system information.
The attack typically begins with the exploitation of the “spinstall0.aspx” endpoint, allowing attackers to upload configuration data to remote servers.
This probing phase enables threat actors to fingerprint target environments before deploying more sophisticated payloads.
The campaign deploys two primary malicious components: GhostWebShell and KeySiphon. GhostWebShell represents a highly sophisticated ASP.NET web shell designed for persistent remote access.
It embeds a Base64-encoded ASP.NET page that exposes a “?cmd=” parameter, enabling attackers to execute arbitrary system commands through “cmd.exe /c
The web shell employs advanced evasion techniques, temporarily manipulating internal BuildManager flags using reflection to bypass precompilation checks.
It registers a custom VirtualPathProvider for fileless operation, injecting malicious pages from memory under legitimate SharePoint paths such as “/_layouts/15/ghostfile
After command execution, the shell restores original BuildManager flags to minimize detection footprints.
KeySiphon serves as a reconnaissance tool that captures comprehensive system intelligence. It collects critical information including logical drive configurations, machine specifications, CPU core counts, system uptime, and operating system details.
Most concerning, KeySiphon extracts application validation and decryption keys through the “System.Web” namespace, specifically invoking “MachineKeySection.GetApplicationConfig()” to expose cryptographic secrets that enable authentication token forgery and ViewState manipulation.
Organizations should immediately apply available patches and implement layered detection strategies combining network monitoring, endpoint protection, and comprehensive log analysis.
Given the rapid weaponization of these vulnerabilities, security teams must prioritize SharePoint infrastructure hardening and consider implementing additional access controls to mitigate potential compromise attempts.
IOCs
IP
157[.]245[.]126[.]186
159[.]203[.]88[.]182
146[.]190[.]224[.]250
203[.]160[.]80[.]77
203[.]160[.]86[.]111
205[.]198[.]84[.]197
159[.]89[.]10[.]213
165[.]232[.]162[.]99
185[.]169[.]0[.]111
146[.]70[.]41[.]178
165[.]154[.]196[.]91
File
10e01ce96889c7b4366cfa1e7d99759e4e2b6e5dfe378087d9e836b7278abfb6
7e3fff35ef909c556bdf6d9a63f0403718bf09fecf4e03037238176e86cf4e98
0548fad567c22ccf19031671f7ec1f53b735abf93dc11245bc9ea4dfd463fe40
3adbebbc2093615bb9210bfdb8ebb0841c62426bee8820f86ff0a64d15206041
Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now
Source link
