What You Need to Know About the “ToolShell”(SharePoint) Vulnerability

If you’re managing an on-premises SharePoint server, pay very close attention. There’s a serious cybersecurity threat, currently active and known as “ToolShell,” referred to as CVE-2025–53770 or CVE-2025–53771. This isn’t just a minor issue; it allows attackers to completely take control of your SharePoint server without needing any login details. This deep access means they can steal your data, cause chaos, or even deploy ransomware.

Understanding the Problem: Tricking SharePoint’s Trust

At its core, this “ToolShell” problem stems from SharePoint being misled when it attempts to interpret specific incoming data. Essentially, it blindly trusts what it’s given, even if that data is malicious. When this happens, the bad guys can run their own code on SharePoint. This trick often goes hand-in-hand with another flaw that lets them bypass your login screen altogether.

Here’s why it’s such a big deal:

• No Login Needed: Attackers don’t need a username or password. If your SharePoint server is connected to the internet, it’s exposed.
• Extremely Serious: Experts rate this flaw as highly critical (a 9.8 out of 10). It can lead to total control of your server.
• Bypassing Old Fixes: This isn’t a brand-new type of problem; it’s a new approach to circumvent previous fixes for similar vulnerabilities. The attackers are clever and continually find new routes.
• Only Affects Your Own Servers: If you use SharePoint Server 2016, 2019, or the Subscription Edition (or even older, unsupported versions like 2010 and 2013) that you manage yourself, you’re at risk. SharePoint Online (the one that comes with Microsoft 365) is safe from this particular issue.

The Attack in Action: From Sneaking In to Taking Over

The “ToolShell” attack usually plays out in a few straightforward steps:

Step 1: Getting Inside (Bypassing the Login)

The attack often starts with the hacker sending a specially crafted request to your SharePoint server. A key trick they use involves manipulating something called the “Referer” header. This makes SharePoint believe the request is legitimate and coming from someone who’s already logged in, even though they aren’t.

Imagine it like this:

They send something that looks a bit like a standard web request:

POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit HTTP/1.1 
Host: your-sharepoint-server.com 
Referer: https://your-sharepoint-server.com/_layouts/SignOut.aspx 
... (then comes the tricky part)

By placing/_layouts/SignOut.aspx in the “Referer” part, they deceive your server into thinking they’re already authorized, allowing them to skip the login page.

Step 2: Planting and Running Malicious Code

Once they’ve bypassed your login, the attacker uses the core vulnerability to make SharePoint:

• Upload a Secret File: They force your server to save a malicious web page (often named spinstall0.aspx) into a standard SharePoint folder (like C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\). Important: If you find spinstall0.aspx on your server, it’s a huge red flag⚠️. This file doesn’t belong there.
• Make it Run: The attacker then accesses that file in their web browser (e.g.,http://your-sharepoint-server.com/_layouts/15/spinstall0.aspx)
• This makes your SharePoint server run the hidden malicious code.

The Main Goal: Stealing Your Server’s “Secret Key”

The point of spinstall0.aspx is to grab your SharePoint server’s “MachineKey.” Think of this as a master secret key your server uses to sign and encrypt a lot of important data, including things that keep your web pages working securely. The malicious code reads this key and sends it back to the attacker.

Reference: ASPX payload: dumping crypto (SharpyShell) https://research.eye.security/sharepoint-under-siege/

When the malicious code runs, it pulls out the ValidationKey and DecryptionKey from your server’s settings. With these, the attackers can create messages that your SharePoint server will trust as legitimate, even if they’re completely malicious.

What Happens After They’ve Gotten In: Deep Trouble

If you’ve seen signs of spinstall0.aspx or received those key details, it means your server might have already been compromised. Your SharePoint’s “secret key” is now in the wrong hands.

What this means for your server:

• Your Secrets Are Out: The MachineKey has been compromised, resulting in a significant security breach.
• They Can Do Anything: The attacker can now create “trusted” messages, giving them free rein.
• Your Services Could Stop: Further actions by the attacker, like ransomware, can shut down your operations.

Because they have that “secret key,” they can continue to sneak back in, even if you clean up the initial mess or apply patches.

The Attackers’ Next Moves (Once They’re Inside):

After gaining deep access, the bad actors usually follow a clear plan:

1. Ensuring They Can Stay: Crafting Fake Messages: Using your server’s stolen “MachineKey,” they can create malicious commands that SharePoint trusts. This lets them get back in anytime, even if you clean up initial files or update your system. Leaving Backdoors: They’ll often place more powerful tools or create hidden accounts, scheduled tasks, or rogue programs to guarantee ongoing access.
2. Figuring Out Your Network: They’ll map your network to find other connected computers, important systems like domain controllers, and databases. They actively search for passwords and user lists to identify key targets.
3. Gaining More Control: They’ll try to get higher-level access (like full server control or domain administrator) by stealing credentials from your server’s memory.
4. Spreading Through Your Network: Using stolen passwords, they’ll move from the SharePoint server to other valuable systems. Your SharePoint can act as a gateway to your entire network.
5. Achieving Their Goal: This is what all their efforts lead to: Stealing Data: Finding and secretly sending sensitive information (like company secrets or customer details) out of your network. Ransomware: Some groups, like “Storm-2603,” will deploy ransomware to encrypt your data and demand payment. Causing Damage: Wiping data or disrupting your operations.
6. Hiding Their Traces: They’ll try to delete or change logs (like Windows or SharePoint logs) and remove their tools to cover their tracks.

Detecting, Responding, and Remediating “ToolShell” Compromise

1. Detection (Signs of Potential Compromise):

• spinstall0.aspx file present: This indicates a potential compromise.
• HMAC-SHA256 in response: Seeing this when accessing spinstall0.aspx strongly suggests successful exploitation and MachineKey theft.
• Unusual web requests (e.g., to ToolPane.aspx with odd Referer).
• Suspicious processes (e.g., w3wp.exe launching cmd.exe/powershell.exe).
• Unexplained files or log anomalies.

2. Immediate Response (If Potential Compromise Suspected/Confirmed):

• Isolate Server: Disconnect from all networks immediately.
• Initiate Incident Response: Start your plan.
• Call Experts: Consider digital forensics specialists.

3. Remediation and Mitigation (Cleanup & Secure):

• Apply all the latest patches NOW.
• CRITICAL: Rotate SharePoint “Machine Keys.” (Update-SPMachineKey, then iisreset).
• Remove all malicious files.
• Restore from clean backups if needed.

Reference:

• https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
• https://research.eye.security/sharepoint-under-siege/
• https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/