Multiple Hacker Groups Exploit SharePoint 0-Day Vulnerability in the Wild

ToolShell encompasses CVE-2025-53770, a critical remote code execution (RCE) flaw allowing unauthenticated attackers to execute arbitrary code on vulnerable servers, and CVE-2025-53771, a server spoofing vulnerability that facilitates bypassing authentication mechanisms like multi-factor authentication (MFA) and single sign-on (SSO).

These issues exclusively impact supported versions of SharePoint Server 2016, 2019, and Subscription Edition, leaving SharePoint Online in Microsoft 365 unaffected.

Overview of the ToolShell Vulnerabilities

Exploitation began with attackers chaining ToolShell with previously patched vulnerabilities, including CVE-2025-49704 and CVE-2025-49706, to achieve initial access and deploy persistent webshells.

This chain enables threat actors to infiltrate restricted systems, extract sensitive data, and potentially pivot across integrated Microsoft services such as Office, Teams, OneDrive, and Outlook, amplifying the attack’s scope within enterprise networks.

Telemetry data indicates widespread attacks, with the United States accounting for 13.3% of incidents, followed by detections in Germany, Italy, and other regions globally.

Notably, China-aligned APTs, including LuckyMouse, a group known for targeting governments, telecommunications, and international organizations, have incorporated ToolShell into their operations, as evidenced by a backdoor deployment on a compromised Vietnamese system.

According to ESET researchers, while the exact infection vector remains unclear, the presence of such malware suggests either prior compromise or opportunistic chaining during exploitation attempts.

Microsoft released comprehensive patches via cumulative security updates (e.g., KB5002768 for Subscription Edition), which fully mitigate both CVEs when applied alongside enabling the Antimalware Scan Interface (AMSI) in full mode and rotating ASP.NET machine keys using PowerShell commands like Set-SPMachineKey and Update-SPMachineKey, followed by an IIS restart.

Mitigation Strategies

Post-exploitation, attackers frequently deploy malicious ASP.NET webshells, such as spinstall0.aspx (tracked as MSIL/Webshell.JS with SHA-1 F5B60A8EAD96703080E73A1F79C3E70FF44DF271), which enables command execution via cmd.exe and data exfiltration.

Additional webshell variants observed include ghostfile346.aspx, ghostfile399.aspx, ghostfile807.aspx, ghostfile972.aspx, and ghostfile913.aspx, often written to SharePoint’s Web Server Extensions directories.

Monitoring reveals exploitation originating from over a dozen IP addresses with peak activity from sources like 154.223.19.106 and 141.164.60.10, hosted by providers such as Kaopu Cloud HK Limited and The Constant Company, LLC.

These attacks involve encoded PowerShell commands spawned by w3wp.exe processes, targeting layouts folders to install backdoors.

Microsoft Defender Antivirus detects related behaviors under names like Exploit:Script/SuspSignoutReq.A and Trojan:PowerShell/MachineKeyFinder.DA!amsi, while Defender for Endpoint raises alerts for suspicious IIS worker processes and potential webshell installations.

Advanced hunting queries in Microsoft 365 Defender, such as those scanning DeviceFileEvents for spinstall0.aspx creations or DeviceProcessEvents for anomalous cmd.exe invocations with base64-encoded payloads, aid in identifying compromises.

For unpatched systems, Microsoft advises disconnecting from the internet or routing through authenticated proxies/VPNs.

To counter ongoing threats, organizations must upgrade to supported SharePoint versions, apply the latest updates immediately, ensure AMSI integration (enabled by default since September 2023 updates), deploy endpoint protection like Defender for Endpoint, and rotate machine keys to invalidate stolen credentials.

Given the rapid adoption by APTs and the exploit’s simplicity, unpatched environments remain at high risk, with expectations of increased opportunistic attacks exploiting this all-you-can-eat buffet for threat actors.

Indicators of Compromise (IoCs)