Ethical Hacking News
ToolShell is a sophisticated attack chain that targets high-value SharePoint deployments, using a combination of previously patched vulnerabilities and custom webshells to gain persistence and access via cryptographic key theft. As enterprises continue to rely on cloud-based services like SharePoint, it's essential that they remain vigilant and take proactive measures to protect themselves against such threats.
The ToolShell attack chain is a sophisticated threat targeting high-value SharePoint deployments. The attacks started on July 17, 2025, with three distinct exploitation waves over two days. The attacks combined two previously patched SharePoint flaws to exploit unauthenticated remote code execution. The attackers used custom webshells and PowerShell to deploy payloads and harvest sensitive data. The ToolShell attack chain is attributed to China-nexus actors, with reports suggesting a nation-state actor's involvement. Microsoft has issued emergency patches for affected SharePoint versions, urging customers to patch the vulnerability immediately.
The world of cybersecurity is constantly evolving, with new threats emerging every day. Recently, a sophisticated attack chain known as ToolShell has been making headlines, targeting high-value organizations in various sectors. In this article, we will delve into the details of this threat and explore what it means for enterprises.
The ToolShell attacks are believed to have started on July 17, 2025, with three distinct exploitation waves observed by SentinelOne researchers over a period of two days. The attacks targeted high-value SharePoint deployments, with a clear emphasis on persistence and access via cryptographic key theft, rather than immediate system control. This approach highlights the sophistication and cunning of the attackers.
The ToolShell attack chain combines two previously patched SharePoint flaws (CVE-2025-49704 and CVE-2025-49706) that were demonstrated at Pwn2Own Berlin. It allows unauthenticated remote code execution by exploiting a logic flaw in SharePoint's ToolPane page. Attackers use a crafted POST request to bypass authentication and run code via uploaded web components.
The attackers used a custom, password-protected ASPX webshell (xxx.aspx) to the SharePoint LAYOUTS directory. The shell enabled authentication, command execution, and file upload via basic HTML interfaces and used SHA512 hashing for access control. The actor tested it by executing a whoami command and saving output to a .js file.
A second webshell (spinstall0.aspx) was observed in two attack waves on July 18-19. Both deployed the same payload, designed to extract sensitive cryptographic data. The attacks appeared manual, exploratory, and likely part of broader, ongoing preparations.
The attackers also used PowerShell to deploy a base64-decoded payload to the SharePoint LAYOUTS directory. This webshell wasn't used for command execution but harvested MachineKey values – critical for forging authentication tokens and maintaining access in load-balanced environments.
Additionally, an attacker dropped a custom, password-protected ASPX webshell (xxx.aspx) to the SharePoint LAYOUTS directory. The shell enabled authentication, command execution, and file upload via basic HTML interfaces and used SHA512 hashing for access control. The actor tested it by executing a whoami command and saving output to a .js file.
The attackers also used in-memory .NET module execution without writing files to disk. Attackers delivered encoded payloads and executed them dynamically via PowerShell or .NET reflection, making detection difficult. This fileless approach suggests a highly skilled red team or nation-state actor focused on stealth and credential harvesting.
All clusters targeted high-value SharePoint deployments, with a clear emphasis on persistence and access via cryptographic key theft, rather than immediate system control. The attackers' goal appears to be to gain long-term access to sensitive data, rather than exploiting the vulnerability for its own sake.
The ToolShell attack chain is a prime example of how attackers are increasingly using sophisticated tools and techniques to evade detection. As enterprises continue to rely on cloud-based services like SharePoint, it's essential that they remain vigilant and take proactive measures to protect themselves against such threats.
Microsoft has issued emergency patches for SharePoint Subscription Edition and 2019, with 2016 updates pending. The company urges customers to immediately patch the vulnerability.
The attribution of the ToolShell attacks remains ongoing, but reports suggest that they may be linked to China-nexus actors. SentinelOne notes that modern threat actors are maximizing gains from patch diffing, n-day adoption, and iterative development of exploits through fast adoption.
SharePoint servers are attractive to threat actors for the high likelihood that they store sensitive organizational data. Beyond their value as a knowledge store, vulnerable SharePoint servers can be used to stage and deliver additional attack components to the victim organization for internal watering hole attacks.
The ease of exploitation and potential value of the data hosted on these servers make 'ToolShell' a potent and dangerous attack chain.
Related Information:
https://www.ethicalhackingnews.com/articles/ToolShell-Attacks-The-Ongoing-SharePoint-Cyber-Threat-ehn.shtml
https://securityaffairs.com/180252/hacking/sharepoint-under-fire-new-toolshell-attacks-target-enterprises.html
https://nvd.nist.gov/vuln/detail/CVE-2025-49704
https://www.cvedetails.com/cve/CVE-2025-49704/
https://nvd.nist.gov/vuln/detail/CVE-2025-49706
https://www.cvedetails.com/cve/CVE-2025-49706/
Published: Tue Jul 22 12:14:48 2025 by llama3.2 3B Q4_K_M
