A sophisticated cyberattack campaign targeting Microsoft SharePoint servers has been discovered exploiting a newly weaponized vulnerability chain dubbed “ToolShell,” enabling attackers to gain complete remote control over vulnerable systems without authentication.

Eye Security, a Dutch cybersecurity firm, identified the active exploitation on July 18, 2025, revealing what security researchers describe as one of the most rapid transitions from proof-of-concept to mass exploitation in recent memory.

Key Takeaways

1. A critical SharePoint vulnerability (“ToolShell”) is being actively exploited, giving attackers full, unauthenticated server control.

2. The attack steals server keys to bypass security and install persistent backdoors.

3. Patch immediately and scan for existing compromise, as the patch won’t remove attackers already inside.

From Research to Weaponization in 72 Hours

The vulnerability chain combines two critical security flaws, CVE-2025-49706 and CVE-2025-49704, originally demonstrated at Pwn2Own Berlin 2025 in May by security researchers from CODE WHITE GmbH, a German offensive security firm.

The exploit remained dormant until July 15, 2025, when CODE WHITE publicly shared their detailed findings on social media platforms after Microsoft’s official patch release.

Within just 72 hours of public disclosure, threat actors had successfully operationalized the exploit for large-scale coordinated attacks.

Eye Security’s comprehensive investigation revealed that attackers began systematic mass exploitation on July 18, 2025, around 18:00 Central European Time, initially using IP address 107.191.58.76.

A second distinct wave of attacks emerged from 104.238.159.149 on July 19, 2025, at 07:28 CET, clearly indicating a well-coordinated international campaign.

The ToolShell exploit bypasses traditional authentication mechanisms by targeting SharePoint’s vulnerable /_layouts/15/ToolPane.aspx endpoint.

Unlike conventional web shells designed primarily for command execution, the malicious payload specifically extracts sensitive cryptographic keys from SharePoint servers, including critical ValidationKey and DecryptionKey materials.

“This wasn’t your typical webshell,” explained Eye Security researchers in their detailed technical analysis. “The attacker turns SharePoint’s inherent trust in its own configuration into a powerful weapon”.

Once these cryptographic secrets are successfully obtained, attackers can craft completely valid __VIEWSTATE payloads to achieve complete remote code execution without requiring any user credentials whatsoever.

The sophisticated attack leverages techniques similar to CVE-2021-28474, exploiting SharePoint’s deserialization and control rendering processes.

By obtaining the server’s ValidationKey, attackers can digitally sign malicious payloads that SharePoint automatically accepts as legitimate trusted input, effectively bypassing all existing security controls and defensive measures.

Eye Security’s comprehensive scan of over 1,000 SharePoint servers deployed worldwide revealed dozens of actively compromised systems across multiple organizations.

The cybersecurity firm immediately initiated responsible disclosure procedures, directly contacting all affected organizations and national Computer Emergency Response Teams (CERTs) across Europe and internationally.

ToolShell SharePoint Exploit Attack Statistics and Impact Analysis

Microsoft has officially acknowledged the active exploitation threat, assigning a new CVE identifier (CVE-2025-53770) to track the specific variant being used in live attacks.

Microsoft is aware of active attacks targeting on-premises SharePoint Server customers, exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770.

We have outlined mitigations and detections in our blog. Our team is working urgently to release… — Security Response (@msftsecresponse) July 20, 2025

The company released comprehensive security patches for all affected versions, including SharePoint Server 2016, 2019, and Subscription Edition, as part of their July 2025 security update cycle.

Organizations running vulnerable SharePoint versions must immediately apply Microsoft’s July 2025 security updates without delay.

The affected builds include SharePoint 2016 versions prior to 16.0.5508.1000 (KB5002744), SharePoint 2019 versions prior to 16.0.10417.20027 (KB5002741), and Subscription Edition versions prior to 16.0.18526.20424.

Microsoft explicitly states that no alternative workarounds exist; only complete, immediate patching eliminates this critical vulnerability completely today.

SharePoint “ToolShell” Exploit Indicators of Compromise (IoCs)

IoC Type Indicator Description IP Address 107.191.58[.]76 Source IP of the first exploit wave on July 18, 2025. 104.238.159[.]149 Source IP of the second exploit wave on July 19, 2025. User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 User-Agent string used during exploitation. Also seen in URL-encoded format for IIS logs. URL / Path POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx The exploit path used to trigger the initial vulnerability (CVE-2025-49706). GET /_layouts/15/.aspx Request to the malicious ASPX file planted to dump cryptographic keys. (Filename not disclosed). File Hash (SHA256) 4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030 Hash of the initial web shell observed. b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70 Another associated malicious file hash. fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7 Hash of a payload specifically targeting the __VIEWSTATE .

Organizations must also conduct thorough, comprehensive compromise assessments immediately, as these sophisticated attacks enable persistent access that survives patching, system reboots, and standard security scans.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now