Uncovering Five Critical Vulnerabilities in Microsoft SharePoint

Security researchers from Kaspersky have detailed a sophisticated exploit chain dubbed “ToolShell,” actively targeting on-premise Microsoft SharePoint servers worldwide.

The campaign, which began widespread exploitation leverages an unauthenticated remote code execution (RCE) chain involving CVE-2025-49704 and CVE-2025-49706, enabling attackers to seize full control of vulnerable systems.

Alerts from various security firms and national CERTs highlight attacks spanning Egypt, Jordan, Russia, Vietnam, and Zambia, impacting sectors including government, finance, manufacturing, forestry, and agriculture.

Kaspersky’s proactive detection mechanisms blocked these intrusions, providing telemetry that maps the campaign’s global footprint.

Analysis of a publicly available POST request dump confirmed it delivers a malicious payload to the “/_layouts/15/ToolPane.aspx” endpoint, embedding parameters “MSOtlPn_Uri” and “MSOtlPn_DWP” that trigger deserialization flaws without authentication.

Authentication Bypass

At the core of ToolShell is CVE-2025-49706, a spoofing vulnerability in the PostAuthenticateRequestHandler method of Microsoft.SharePoint.dll, exploiting IIS integrated mode to bypass authentication.

By setting the HTTP Referrer header to paths like “/_layouts/SignOut.aspx” (case-insensitive), attackers evade unauthorized access checks, as flags in the handler logic prevent exception throws.

Microsoft’s patch added a case-insensitive path check for “ToolPane.aspx,” but researchers bypassed it simply by appending a trailing slash, leading to the assignment of CVE-2025-53771.

The subsequent July 20 patch enforces an allowlist of safe paths, including “/_layouts/15/SignOut.aspx” and resource files like “init.js,” restricting referrer-based bypasses.

Complementing this, CVE-2025-49704 exploits untrusted data deserialization in the GetPartPreviewAndPropertiesFromMarkup method, where “MSOtlPn_DWP” embeds WebPart markup instantiating the ExcelDataSet control from Microsoft.PerformancePoint.Scorecards.Client.dll.

This control’s CompressedDataTable property, decoded via Base64 and decompressed, feeds into BinarySerialization.Deserialize, allowing arbitrary method execution through an ExpandedWrapper technique in a malicious DataSet XML.

The XML embeds a dangerous type like “System.Collections.Generic.List1[[System.Data.Services.Internal.ExpandedWrapper2[…]]],” circumventing the XmlValidator’s type safelist by nesting it within a list structure.

Links to Past Flaws

The initial July 8 fix for CVE-2025-49704 merely marked the ExcelDataSet control as unsafe in web.config via the AddExcelDataSetToSafeControls class, requiring manual execution of the SharePoint Products Configuration Wizard, a step omitted in Microsoft’s guidance, leaving many systems exposed.

This incomplete mitigation prompted CVE-2025-53770 on July 20, which enhances XmlValidator with robust type verification to block ExpandedWrapper exploits across controls, addressing the root deserialization issue without manual upgrades.

Notably, ToolShell echoes CVE-2020-1147, a prior .NET Framework and SharePoint RCE flaw from 2020, with nearly identical exploits differing only in the placement of the ExpandedWrapper object in a list, rendering CVE-2025-53770 an evolved patch for that legacy vulnerability.

Kaspersky’s reverse engineering revealed that altering a single byte in the request bypasses early fixes, underscoring the chain’s simplicity and potency.

These five vulnerabilities, CVE-2025-49704 (deserialization RCE), CVE-2025-49706 (authentication bypass), CVE-2025-53770 (enhanced deserialization fix), CVE-2025-53771 (bypass-resistant authentication patch), and the related CVE-2020-1147 pose ongoing risks akin to ProxyLogon or EternalBlue, as public exploits enable low-effort attacks.

Organizations must prioritize rapid patching, ideally within hours of release, and deploy endpoint security with zero-day detection capabilities to mitigate unpatched threats.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!