ToolShell: Critical SharePoint RCE Actively Exploited

Summary

ToolShell is a high-severity RCE exploit actively targeting on-prem Microsoft SharePoint servers. By chaining CVE-2025-49706, CVE-2025-49704, and the new CVE-2025-53770, attackers can bypass authentication, write arbitrary files, and gain persistent access. Exploitation is widespread across government, finance, and healthcare. Immediate action is required: apply Microsoft’s emergency patches, rotate ASP.NET machine keys, enable AMSI, and scan for web shells such as spinstall0.aspx. Treat unpatched SharePoint servers as potentially vulnerable to compromise.

A dangerous remote code execution (RCE) exploit called ToolShell is actively targeting on-premises Microsoft SharePoint servers. The severity of this exploit allows attackers to bypass authentication, write arbitrary files, and execute code without valid credentials. Organizations running SharePoint 2016, 2019, or Subscription Edition are at immediate and severe risk.

Microsoft, CISA, and multiple cybersecurity researchers have confirmed active exploitation. If you manage on-prem SharePoint, this is a critical situation that demands immediate and decisive action today.

What Is ToolShell?

ToolShell is not a single vulnerability. It is a chained exploit that combines previously patched flaws with a new bypass to regain access to vulnerable servers.

1. Failed patch evasion

• CVE 2025 49706 – Authentication bypass via manipulated Referer headers
• CVE 2025 49704 – Unauthenticated arbitrary file write
• CVE 2025 53770 – A newly discovered bypass that sidesteps existing patches for the first two CVEs

2. Post-patch outbreak
   Microsoft released patches on July 19–20, 2025, for SharePoint Subscription Edition and SharePoint 2019. SharePoint 2016 remains unpatched, leaving older systems highly vulnerable.
3. Exploitation in the wild
   According to Varonis and the Microsoft Security Response Center, attackers are deploying web shells, such as spinstall0.aspx. These shells harvest ASP.NET machine keys, allowing forged tokens, persistent access, and lateral movement inside corporate networks.

Attack Timeline

Timeline Date	Event
July 17–18	Security researchers begin observing real-world exploitation, including fileless techniques.
July 19	Microsoft confirms the zero-day in a security advisory and releases emergency patches.
July 20–21	Patches issued for SharePoint 2019 and Subscription Edition. CISA adds CVE 2025 53770 to its Known Exploited Vulnerabilities (KEV) catalog.
July 21–22	Active exploitation continues, targeting high-value organizations across government, finance, healthcare, and energy sectors.

(Source: Microsoft Security Blog and Varonis)

Who Is at Risk?

Organizations running on-premises Microsoft SharePoint servers are the primary targets of ToolShell exploitation.

• SharePoint 2016 – Currently the highest risk since no official patch has been released. Systems exposed to the internet are actively being scanned and exploited.
• SharePoint 2019 and Subscription Edition – Patches are available, but unpatched or delayed updates leave servers vulnerable to active attacks.
• SharePoint Online – Not affected by this vulnerability.

Industries that report breaches include government agencies, universities, energy and utility providers, telecommunications companies, financial institutions, and healthcare organizations. These sectors are attractive targets due to their sensitive data and operational impact, making immediate patching and incident response critical.

Immediate Mitigations

Enterprises running on-prem SharePoint must act now to reduce exposure and limit potential damage. Immediate action is not just recommended, it’s necessary.

1. Patch now

Apply Microsoft’s emergency updates immediately to close the active exploit chain:

• Subscription Edition – KB5002768
• SharePoint 2019 – KB5002754
• SharePoint 2016 – No patch released yet. Disconnect these servers from internet-facing access or restrict them behind VPNs and authentication gateways until a fix becomes available.

Delaying patches significantly increases the risk of compromise, as attackers are actively scanning for vulnerable servers.

2. Enhance security post-patch

Patching alone does not remove persistence if the system was already compromised. Strengthen defenses by:

• Enabling Antimalware Scan Interface (AMSI) in SharePoint for better script-based attack detection.
• Running Microsoft Defender or equivalent EDR tools to block suspicious activity.
• Rotating ASP.NET machine keys and restarting IIS to invalidate any keys attackers may have stolen to forge authentication tokens.

3. Contain exposure

For servers that cannot be patched immediately:

• Disconnect publicly exposed SharePoint servers from the internet.
• Restrict access to trusted networks using VPNs or authentication gateways.
• Monitor for unusual authentication attempts, as attackers may already have harvested machine keys for persistent access.

4. Hunt and detect

Assume a compromise if systems were exposed before patching. Investigate for:

• Suspicious files – Check for web shells like spinstall0.aspx in the SharePoint LAYOUTS directory.
• Process anomalies – Look for execution chains such as: w3wp.exe → cmd.exe → powershell -EncodedCommand
• Use hunting guidance and tools from Microsoft Defender XDR, Rapid7, Arctic Wolf, or SentinelOne to identify lateral movement or data exfiltration attempts.

Incident response teams should collect forensic data, review IIS logs for unusual uploads, and check for unauthorized changes to machine keys.

Secure Your SharePoint Today

ToolShell highlights the growing risk of on-prem and hybrid environments. Alchemy Technology Group helps enterprises secure Microsoft 365 and related services with proven expertise in identity, threat protection, and data governance. From rapid patch validation to ongoing monitoring, we provide the strategies and tools to mitigate risk and prevent advanced attacks from impacting your business.

>Schedule Your Microsoft 365 Security Assessment