Critical Cyber Update: ToolShell Attacks on SharePoint Servers

August 2025

What Are ToolShell Attacks?

In recent days, a new wave of cyberattacks known as ToolShell has begun targeting on-premises Microsoft SharePoint servers globally. This fast-moving campaign exploits two newly disclosed vulnerabilities, CVE-2025-53770 and CVE-2025-53771, to gain unauthorised remote code execution (RCE) access to SharePoint servers without needing user credentials or interaction.

Unlike traditional attacks that rely on phishing, malware, or stolen credentials, ToolShell requires just a single HTTP request to an exposed SharePoint endpoint. This means attackers can compromise your SharePoint server with minimal effort, making the attack both dangerous and efficient.

The Vulnerabilities: CVE-2025-53770 and CVE-2025-53771

These vulnerabilities exploit a deserialisation bug in ASP.NET, which allows attackers to execute code remotely on the server. Here’s a simplified breakdown of how the attack works:

1. Crafted POST Request: The attacker sends a specially crafted POST request to a specific SharePoint endpoint.
2. Authentication Bypass: The server, due to improper validation, grants unauthorised access to upload functionality.
3. Webshell Deployment: A stealthy webshell, named spinstall0.aspx, is uploaded to the server.
4. Key Extraction: The webshell extracts important cryptographic keys (ValidationKey and DecryptionKey) from the server’s memory.
5. Token Forgery: With these keys, attackers can forge trusted tokens, allowing them to execute commands repeatedly and stealthily.

Understanding these technical details helps us appreciate the simplicity yet potency of the ToolShell exploit.

Why ToolShell Attacks Are a Major Threat

ToolShell attacks pose a significant threat for several reasons:

• No Login Required: The attack works without the need for user credentials, making it easier for attackers to execute.
• Complete Server Control: Attackers gain full access to SharePoint data, system files, and configurations.
• Long-Term Stealthy Access: By stealing cryptographic keys, attackers can maintain persistent, undetected access.
• Lateral Movement Potential: Once inside, attackers can move laterally across your network, compromising other systems like Exchange, OneDrive, Teams, and Active Directory.

These factors make ToolShell a formidable threat that requires immediate attention and action.

Steps to Protect Your SharePoint Servers

To protect your SharePoint servers from ToolShell attacks, consider the following steps:

1. Patch and Update: Ensure your SharePoint servers are updated with the latest security patches. Regular updates can close vulnerabilities before they are exploited.
2. Network Segmentation: Implement network segmentation to limit the impact of any potential breaches. Isolate critical servers and restrict access to them.
3. Monitor Traffic: Use advanced monitoring tools to detect unusual traffic patterns that could indicate an attack. Tools like Vectra AI can help identify suspicious activities.
4. Backup and Recovery: Regularly back up your data and have a robust recovery plan in place. This ensures you can restore your systems quickly in case of an attack.
5. Security Awareness Training: Educate your staff about the importance of cybersecurity and the methods attackers use. Awareness can be a powerful tool in preventing breaches.
   
   

How Matrium Can Help

Matrium Technologies, offers advanced solutions to detect and mitigate ToolShell and similar threats. Our platform not only helps in detecting the initial exploit but also assists your Security Operations Center (SOC) in investigating with speed and precision. It correlates attacker behaviours across SharePoint, identity systems, and cloud services, highlighting everything from webshell deployment to lateral movement.

Staying Ahead of Future Cyber Threats

The landscape of cybersecurity is constantly evolving, with new threats emerging regularly. Staying ahead requires a proactive approach:

• Continuous Monitoring: Implement continuous monitoring solutions to detect and respond to threats in real-time.
• Threat Intelligence: Stay informed about the latest threats and vulnerabilities. Utilise threat intelligence services to keep your security measures up to date.
• Regular Audits: Conduct regular security audits and penetration testing to identify and fix vulnerabilities.
• Invest in Advanced Security Solutions: Invest in advanced security solutions that provide comprehensive protection across all layers of your network.

By following these practices, you can enhance your cybersecurity posture and protect your organisation from emerging threats like ToolShell.

In conclusion, understanding the nature of ToolShell attacks and taking proactive measures to protect your systems is crucial. Matrium Technologies, in collaboration with our partners, offers the tools and expertise needed to detect, mitigate, and stay ahead of such sophisticated cyber threats. Stay vigilant and ensure your defences are always one step ahead.