A sophisticated cyberattack campaign targeting Microsoft SharePoint servers has been discovered exploiting a newly weaponized vulnerability chain dubbed ‘ToolShell,’ enabling attackers to gain complete remote control over vulnerable systems without authentication.Eye Security, a Dutch cybersecurity firm, identified the active exploitation on July 18, 2025, revealing what security researchers describe as one of the most rapid transitions from proof-of-concept to mass exploitation in recent memory.“`Key Takeaways1. A critical SharePoint vulnerability (‘ToolShell’) is being actively exploited, giving attackers full, unauthenticated server control.2. The attack steals server keys to bypass security and install persistent backdoors.3. Patch immediately and scan for existing compromise, as the patch won’t remove attackers already inside.“`**From Research to Weaponization in 72 Hours**———————————————-The vulnerability chain combines two critical security flaws, [CVE-2025-49706](https://cybersecuritynews.com/microsoft-patch-tuesday-july-2025/) and [CVE-2025-49704](https://cybersecuritynews.com/microsoft-patch-tuesday-july-2025/), originally demonstrated at Pwn2Own Berlin 2025 in May by security researchers from CODE WHITE GmbH, a German offensive security firm.The exploit remained dormant until July 15, 2025, when CODE WHITE publicly shared their detailed findings on social media platforms after Microsoft’s official patch release.Within just 72 hours of public disclosure, threat actors had successfully operationalized the exploit for large-scale coordinated attacks.Eye Security’s comprehensive investigation [revealed](https://research.eye.security/sharepoint-under-siege/) that attackers began systematic mass exploitation on July 18, 2025, around 18:00 Central European Time, initially using IP address 107.191.58.76.A second distinct wave of attacks emerged from 104.238.159.149 on July 19, 2025, at 07:28 CET, clearly indicating a well-coordinated international campaign.The ToolShell exploit bypasses traditional [authentication](https://cybersecuritynews.com/authentication/) mechanisms by targeting SharePoint’s vulnerable `/_layouts/15/ToolPane.aspx` endpoint.Unlike conventional web shells designed primarily for command execution, the malicious payload specifically extracts sensitive cryptographic keys from SharePoint servers, including critical ValidationKey and DecryptionKey materials.’This wasn’t your typical webshell,’ explained Eye Security researchers in their detailed technical analysis. ‘The attacker turns SharePoint’s inherent trust in its own configuration into a powerful weapon’.Once these cryptographic secrets are successfully obtained, attackers can craft completely valid `__VIEWSTATE` payloads to achieve complete remote code execution without requiring any user credentials whatsoever.The sophisticated attack leverages techniques similar to CVE-2021-28474, exploiting SharePoint’s deserialization and control rendering processes.By obtaining the server’s ValidationKey, attackers can digitally sign malicious payloads that SharePoint automatically accepts as legitimate trusted input, effectively bypassing all existing security controls and defensive measures.Eye Security’s comprehensive scan of over 1,000 SharePoint servers deployed worldwide revealed dozens of actively compromised systems across multiple organizations.The cybersecurity firm immediately initiated responsible disclosure procedures, directly contacting all affected organizations and national Computer Emergency Response Teams (CERTs) across Europe and internationally. ToolShell SharePoint Exploit Attack Statistics and Impact AnalysisMicrosoft has officially acknowledged the active exploitation threat, assigning a new CVE identifier (CVE-2025-53770) to track the specific variant being used in live attacks.> Microsoft is aware of active attacks targeting on-premises SharePoint Server customers, exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770. >>> We have outlined mitigations and detections in our blog. Our team is working urgently to release…> — Security Response (@msftsecresponse) [July 20, 2025](https://twitter.com/msftsecresponse/status/1946737930849939793?ref_src=twsrc%5Etfw)The company released comprehensive security patches for all affected versions, including SharePoint Server 2016, 2019, and Subscription Edition, as part of their July 2025 security update cycle.Organizations running vulnerable SharePoint versions must immediately apply Microsoft’s July 2025 security updates without delay.The affected builds include SharePoint 2016 versions prior to 16.0.5508.1000 (KB5002744), SharePoint 2019 versions prior to 16.0.10417.20027 (KB5002741), and Subscription Edition versions prior to 16.0.18526.20424.Microsoft explicitly states that no alternative workarounds exist; only complete, immediate patching eliminates this critical vulnerability completely today.### **SharePoint ‘ToolShell’ Exploit Indicators of Compromise (IoCs)**IoC Type Indicator Description **IP Address** `107.191.58[.]76` Source IP of the first exploit wave on July 18, 2025. `104.238.159[.]149` Source IP of the second exploit wave on July 19, 2025. **User-Agent** `Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0` User-Agent string used during exploitation. Also seen in URL-encoded format for IIS logs. **URL / Path** `POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx` The exploit path used to trigger the initial vulnerability (CVE-2025-49706). `GET /_layouts/15/.aspx` Request to the malicious ASPX file planted to dump cryptographic keys. (Filename not disclosed). **File Hash (SHA256)** `4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030` Hash of the initial web shell observed. `b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70` Another associated malicious file hash. `fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7` Hash of a payload specifically targeting the `__VIEWSTATE`.Organizations must also conduct thorough, comprehensive compromise assessments immediately, as these sophisticated attacks enable persistent access that survives patching, system reboots, and standard security scans.Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams –>**[Try ANY.RUN Now](https://any.run/demo?utm_source=csn&utm_medium=article&utm_campaign=top3_ciso_challenges&utm_content=demo_1&utm_term=160725)**The post [SharePoint 0-Day RCE Vulnerability Actively Exploited in the Wild to Gain Full Server Access](https://cybersecuritynews.com/sharepoint-0-day-rce-vulnerability-exploited/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
CVE-2025-53770
CVE-2025-49704
CVE-2025-49706
Topic: Zero Day
NAICS: 551 – Management Of Companies And Enterprises
NAICS: 55 – Management Of Companies And Enterprises
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
Associated Indicators:
4A02A72AEDC3356D8CB38F01F0E0B9F26DDC5CCB7C0F04A561337CF24AA84030
FA3A74A6C015C801F5341C02BE2CBDFB301C6ED60633D49FC0BC723617741AF7
107.191.58.76
104.238.159.149