{
	"id": "6f757245-a058-4427-97a4-16dacf179d2b",
	"created_at": "2026-04-06T01:29:35.516897Z",
	"updated_at": "2026-04-10T03:22:00.889868Z",
	"deleted_at": null,
	"sha1_hash": "6eef036c95ea0d3bac1ef0c65e6d6269055d766b",
	"title": "SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 84471,
	"plain_text": "SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets\r\nEnterprise Servers\r\nBy SentinelOne\r\nPublished: 2025-07-21 · Archived: 2026-04-06 01:00:00 UTC\r\nOn July 19th, Microsoft confirmed that a 0-day vulnerability impacting on-premises Microsoft SharePoint\r\nServers, dubbed “ToolShell” (by researcher Khoa Dinh @_l0gg), was being actively exploited in the wild. This\r\nflaw has since been assigned the identifier CVE‑2025‑53770, along with an accompanying bypass tracked as\r\nCVE‑2025‑53771. These two new CVEs are being used alongside the previously patched CVEs (49704/49706)\r\nwhich were patched on July 8th, with PoC code surfacing by July 14th.\r\nThe advisory also confirmed emergency patches for on-prem SharePoint Subscription Edition and SharePoint\r\nServer  2019, with updates scheduled for version 2016 as well. We strongly recommend immediate patching, and\r\nfollowing Microsoft’s recommendations of enabling AMSI detection, rotating ASP.NET machine keys, and\r\nisolating public-facing SharePoint servers until defenses are in place.\r\nSentinelOne first observed ToolShell exploitation on July 17th, ahead of official Microsoft advisories. Since\r\nthen, we’ve identified three distinct attack clusters, each with unique tradecraft and objectives. In this blog, we\r\nunpack the timeline, explore these clusters, and equip defenders with best-practice mitigation strategies. At this\r\ntime, we provide no attribution beyond this early clustering as research is ongoing.\r\nObserved Targets\r\nWe have observed initial ToolShell exploitation against high value organizations, with victims primarily in\r\ntechnology consulting, manufacturing, critical infrastructure, and professional services tied to sensitive\r\narchitecture and engineering organizations. The early targets suggest that the activity was initially carefully\r\nselective, aimed at organizations with strategic value or elevated access.\r\nThe attacks that we describe in this report were targeted in nature and occurred before public disclosure of the\r\nvulnerability spurred mass exploitation efforts from a wider set of actors. We expect broader exploitation attempts\r\nto accelerate, driven by both state-linked and financially motivated actors seeking to capitalize on unpatched\r\nsystems.\r\nSentinelOne has observed multiple state-aligned threat actors, unrelated to the first wave of exploitation,\r\nbeginning to engage in reconnaissance and early-stage exploitation activities. Additionally, we’ve also identified\r\nactors possibly standing up decoy honeypot environments to collect and test exploit implementations , as well as\r\nsharing tooling and tradecraft across known sharing platforms. As awareness spreads within these communities,\r\nwe expect further weaponization and sustained targeting of vulnerable SharePoint infrastructure.\r\nTechnical Overview\r\nhttps://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/\r\nPage 1 of 5\n\nBoth previously patched CVEs (49704/49706) were first disclosed at Pwn2Own Berlin. It was later discovered\r\nthat these two flaws could be paired together to produce the full RCE ‘ToolShell’ attack chain. The name\r\n‘ToolShell’ refers to the initial abuse of SharePoint’s / ToolPane.aspx (CVE-2025-49704), a system page used for\r\nwebsite configuration and management.\r\nThis vulnerability chain enables unauthenticated remote code execution by sending a crafted POST request to the\r\nURI /layouts/15/ToolPane.aspx?DisplayMode=Edit , exploiting a logic flaw in the Referer header validation.\r\nThis bypass allows attackers to access SharePoint’s ToolPane functionality without authentication, ultimately\r\nleading to code execution via uploaded or in-memory web components.\r\nxxx.aspx\r\nOn July 18th, 2025 at 09:58 GMT, SentinelOne observed a single exploitation attempt where the attacker dropped\r\na custom password-protected ASPX webshell named xxx.aspx . This activity appears to be hands-on and\r\nexploratory in nature, likely performed by a human operator rather than an automated script.\r\nThe webshell was written to the following path:\r\nC:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS\\xxx.aspx\r\nThis webshell provides a basic HTML interface allowing three primary functions:\r\n1. Authentication via an embedded form that sets a cookie.\r\n2. Command Execution by submitting commands through the GTaRkhJ9wz parameter, which are run via\r\ncmd.exe and returned to the client.\r\n3. File Upload via a multipart form using fields 0z3H8H8atO (file) and 7KAjlfecWF (destination path).\r\nThe shell leverages basic obfuscation and validation mechanisms, including cookie-based authentication and a\r\nhardcoded SHA512 hash to restrict access. The password check logic suggests the actor anticipated repeated or\r\nremote usage of the shell.\r\nAfter the webshell was dropped, the attacker issued the following commands:\r\ncmd.exe /c whoami \u003e c:\\progra~1\\common~1\\micros~1\\webser~1\\16\\template\\layouts\\info.js\r\nThe first attempt to redirect the whoami output failed due to a typo ( \\templa ), indicating the activity was likely\r\nmanual and exploratory. The corrected second command successfully writes the output of whoami into a web-accessible . js file, a common tactic for validating command execution and potentially retrieving output through\r\na browser.\r\nWhile this activity was limited to a single observed instance, the customized tooling and interactive behavior\r\nsuggest a deliberate post-exploitation attempt by a threat actor testing or preparing for broader operations.\r\nspinstall0.aspx\r\nSentinelOne observed two distinct waves of activity involving a consistent final payload, spinstall0.aspx ,\r\ndropped across SharePoint environments from different attacker infrastructure on July 18 and 19, 2025. While the\r\nhttps://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/\r\nPage 2 of 5\n\ninitial dropper scripts varied slightly between waves, both resulted in deployment of the same webshell, designed\r\nto extract and expose sensitive cryptographic material from the host.\r\nFirst Wave – July 18, 2025 (14:54–18:44 GMT)\r\nSource IP: 107.191.58[.]76\r\nThis initial wave involved PowerShell-based payload delivery. A base64-encoded blob was decoded and written to\r\nthe SharePoint LAYOUTS directory:\r\n$base64String = [REDACTED]\r\n$destinationFile = \"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS\\spinstall0.aspx\"\r\n$decodedBytes = [System.Convert]::FromBase64String($base64String)\r\n$decodedContent = [System.Text.Encoding]::UTF8.GetString($decodedBytes)\r\n$decodedContent | Set-Content -Path $destinationFile -ErrorAction Stop\r\nThe resulting file, spinstall0.aspx , is not a traditional command webshell but rather a reconnaissance and\r\npersistence utility:\r\n\u003c%@ Import Namespace=\"System.Diagnostics\" %\u003e\r\n\u003c%@ Import Namespace=\"System.IO\" %\u003e\r\nThis code extracts and prints the host’s MachineKey values, including the ValidationKey , DecryptionKey , and\r\ncryptographic mode settings—information critical for attackers seeking to maintain persistent access across load-balanced SharePoint environments or to forge authentication tokens.\r\nSecond Wave – July 19, 2025 (03:06–07:59 GMT)\r\nSource IP: 104.238.159[.]149\r\nRoughly 12 hours later, a second wave used nearly identical logic to deliver the same spinstall0.aspx payload.\r\nThe key difference was in the PowerShell staging script:\r\n$b = [REDACTED]\r\n$c = \"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\15\\TEMPLATE\\LAYOUTS\\spinstall0.aspx\"\r\n$d = [System.Convert]::FromBase64String($b)\r\n$e = [System.Text.Encoding]::UTF8.GetString($d)\r\n$e | Set-Content -Path $c -ErrorAction Stop\r\nStart-Sleep -s 3\r\nWhile the encoded payload was marginally different in form, it decoded to the same spinstall0.aspx shell. The\r\nchange in target directory, from 16\\TEMPLATE to 15\\TEMPLATE , may reflect testing across different SharePoint\r\nversions or environments.\r\nhttps://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/\r\nPage 3 of 5\n\nUnlike more interactive webshells observed in this campaign, spinstall0.aspx does not support command\r\nexecution or file upload. Instead, its singular purpose appears to be information gathering, specifically targeting\r\ncryptographic secrets that could be reused to forge authentication or session tokens across SharePoint instances.\r\nGiven the uniqueness and strategic value of the MachineKey data harvested by this shell, we assess this cluster to\r\nbe part of a broader effort to establish durable access into high-value SharePoint deployments.\r\n“no shell”\r\nThis activity cluster, tracked as “no shell” , represents a more advanced and stealthy approach compared to\r\nothers in this campaign. SentinelOne observed this cluster operating between July 17, 2025 10:35:04 GMT and\r\nJuly 18, 2025 03:51:29 GMT, making it our earliest known exploitation of CVE-2025-53770 in the wild.\r\nUnlike the other clusters, no persistent webshells were written to disk. Instead, telemetry and behavioral indicators\r\nsuggest the attackers relied on in-memory .NET module execution, avoiding traditional file-based artifacts\r\nentirely. This approach significantly complicates detection and forensic recovery, underscoring the threat posed by\r\nfileless post-exploitation techniques.\r\nAll observed activity in this cluster originated from a single IP address: 96.9.125[.]147 . Despite the lack of file\r\nsystem artifacts, compromised hosts exhibited patterns consistent with SharePoint exploitation, followed by\r\nencoded payload delivery and dynamic assembly loading via PowerShell or native .NET reflection.\r\nGiven the timing, just days after public proof-of-concept chatter began, and the sophistication of the fileless\r\nexecution chain, we assess this cluster to be either a skilled red team emulation exercise or the work of a capable\r\nthreat actor with a focus on evasive access and credential harvesting.\r\nDefenders should be especially vigilant for memory-resident activity following SharePoint exploitation attempts\r\nand should employ EDR solutions capable of detecting anomalous .NET execution patterns and assembly loading.\r\nConclusion\r\nModern threat actors are maximizing gains from patch diffing, n-day adoption, and iterative development of \r\nexploits through fast adoption. SharePoint servers are attractive to threat actors for the high likelihood that they\r\nstore sensitive organizational data. Beyond their value as a knowledge store, vulnerable SharePoint servers can be\r\nused to stage and deliver additional attack components to the victim organization for internal watering hole\r\nattacks. The ease of exploitation and potential value of the data hosted on these servers make ‘ToolShell’ a potent\r\nand dangerous attack chain.\r\nAs of this writing, SharePoint Online for Microsoft 0365 is not impacted. Our research teams have provided out-of-the-box Platform Detection rules and Hunting Queries to assist in discovering and isolating related behavior. \r\nWe recommend that vulnerable organizations apply the available security updates released by Microsoft (released\r\nJuly 21, 2025) to mitigate the related vulnerabilities as soon as possible. SentinelOne is actively monitoring its\r\ncustomer base for impact and is notifying those affected as they are identified.\r\nIndicators of Compromise\r\nhttps://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/\r\nPage 4 of 5\n\nSHA-1\r\nf5b60a8ead96703080e73a1f79c3e70ff44df271 - spinstall0.aspx webshell\r\nfe3a3042890c1f11361368aeb2cc12647a6fdae1 - xxx.aspx webshell\r\n76746b48a78a3828b64924f4aedca2e4c49b6735 - App_Web_spinstall0.aspx.9c9699a8.avz5nq6f.dll, a compiled\r\nversion of spinstall0.aspx\r\nIP Addresses\r\n96.9.125[.]147 - attacker IP from “no shell” cluster\r\n107.191.58[.]76 - attacker IP used in 1st wave of spinstall0.aspx cluster\r\n104.238.159[.]149 - attacker IP used in 2nd wave of spinstall0.aspx cluster\r\nNew SentinelOne Platform Detection Rules\r\nWeb Shell Creation in LAYOUTS Directory\r\nWeb Shell File Detected in LAYOUTS Directory\r\nSuspicious Process Spawned by SharePoint IIS Worker Process\r\nSentinelOne Platform Hunting Queries\r\ndataSource.name = 'SentinelOne' and endpoint.os = \"windows\" and event.type = \"Process Creation\" and s\r\ndataSource.name = 'SentinelOne' and endpoint.os = \"windows\" and event.type = \"Process Creation\" and s\r\nDisclaimer\r\nAll third-party product names, logos, and brands mentioned in this publication are the property of their respective\r\nowners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation,\r\nendorsement, sponsorship, or association with the third-party.\r\nSource: https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/\r\nhttps://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/"
	],
	"report_names": [
		"sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers"
	],
	"threat_actors": [],
	"ts_created_at": 1775438975,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6eef036c95ea0d3bac1ef0c65e6d6269055d766b.pdf",
		"text": "https://archive.orkl.eu/6eef036c95ea0d3bac1ef0c65e6d6269055d766b.txt",
		"img": "https://archive.orkl.eu/6eef036c95ea0d3bac1ef0c65e6d6269055d766b.jpg"
	}
}