On-premises Microsoft SharePoint servers are currently facing widespread, active, and severe exploitation by sophisticated threat actors. This ongoing campaign, collectively termed “ToolShell,” leverages multiple critical vulnerabilities.Â
The primary vulnerabilities include:Â
- CVE-2025-49704 (Code Injection, CVSS 8.8)
- CVE-2025-49706 (Improper Authentication, CVSS 6.5)
- CVE-2025-53770 (Deserialization of Untrusted Data, CVSS 9.8)
- CVE-2025-53771 (Path Traversal, CVSS 6.5)Â
These flaws, particularly when chained together, enable unauthenticated Remote Code Execution (RCE), granting attackers full control over compromised systems without requiring any credentials.
The consequences of this exploitation are dire and far-reaching. Observed outcomes include extensive data exfiltration, the deployment of persistent backdoors, the theft of critical cryptographic keys (specifically ASP.NET MachineKeys), and the deployment of destructive ransomware variants such as 4L4MD4R (a variant of the open-source Mauri870 ransomware) and Warlock ransomware.Â
The exploitation activity began in mid-July 2025 and intensified rapidly following the public release of Proof-of-Concept (PoC) exploits.
Given the pervasive and stealthy nature of this campaign, organizations with internet-exposed on-premises SharePoint deployments are strongly advised to assume they have already been compromised.Â
This shift in perspective from preventative measures to immediate detection, containment, and eradication is critical. It is imperative to understand that patching alone is insufficient to fully evict the threat. Comprehensive incident response, including forensic analysis and eradication of all established malicious artifacts, is therefore paramount.
Scope of the attack
The “ToolShell” exploitation campaign exhibits a clear and focused target landscape, sophisticated threat actors, and adaptive methodologies designed to maximize impact.Â
Important: SaaS (cloud) SharePoint Online environments are explicitly stated as not impacted by these specific vulnerabilities.Â
The affected versions include Microsoft SharePoint Enterprise Server 2016 and 2019, also applying to Microsoft SharePoint Server Subscription Edition.Â
High-risk sectors, including government, schools, healthcare (including hospitals), and large enterprise companies, are at immediate and significant risk due to their reliance on self-hosted SharePoint deployments that often manage sensitive data. Furthermore, public-facing SharePoint Server versions that have reached their end-of-life (EOL) or end-of-service (EOS), such as SharePoint Server 2013 and earlier, present an even greater risk and should be immediately disconnected from the internet.
Adversary agility is a defining characteristic of this campaign. Threat actors associated with CL-CRI-1040 demonstrate remarkable adaptability, rapidly adjusting their infrastructure and payloads to evade detection. CISA also notes the observed deployment of hard-to-detect.dll payloads.
Who are the threat actors
Microsoft tracks Storm-2603, a prominent China-based threat actor, who has been observed exploiting these vulnerabilities to deploy Warlock and Lockbit ransomware. Other identified Chinese nation-state actors, Linen Typhoon and Violet Typhoon, also exploit these vulnerabilities, aligning with their historical tactics of espionage and intellectual property theft.
These threat actors employ a methodical approach, beginning with an initial reconnaissance phase prior to exploitation.
Risks of the vulnerability
A compromised SharePoint server represents a significant risk due to its deep integration with other Microsoft services such as Office, Teams, OneDrive, and Outlook. This allows the compromise to extend far beyond the SharePoint environment itself, potentially opening the door to the entire network.Â
Attackers are observed bypassing identity controls, including multi-factor authentication (MFA) and single sign-on (SSO), to gain privileged access. Once a foothold is established, post-exploitation objectives include the exfiltration of sensitive data, deployment of persistent backdoors, and the theft of cryptographic keys.Â
The most critical observed impact is the deployment of ransomware, leading to data encryption and financial extortion.
The extensive list of observed post-exploitation techniques, particularly those designed for stealth, like reflective code loading and disabling Microsoft Defender, highlights the limitations of perimeter defenses and traditional antivirus solutions.
Mitigation
Addressing the active exploitation of on-premises SharePoint vulnerabilities requires immediate, multi-layered mitigation.Â
Organizations must apply all necessary comprehensive security updates released by Microsoft for SharePoint Server Subscription Edition, 2019, and 2016 without delay. These updates address all “ToolShell” CVEs, including the more robust protections for patch bypasses.
A non-negotiable step is the rotation of all ASP.NET Machine Keys and a subsequent restart of IIS. Stolen cryptographic material must be invalidated to prevent continued attacker access and data decryption.Â
Warning: If malicious module entries from applicationHost.config and web.config files are not manually removed before the IIS restart, these malicious modules will persist and reload, maintaining the compromise. Machine keys can be updated manually via the Set-SPMachineKey PowerShell cmdlet or by triggering the “Machine Key Rotation Job” in SharePoint Central Administration.
If immediate patching or AMSI enablement is not feasible, internet-exposed SharePoint servers should be disconnected from the internet until they can be fully secured and remediated. Organizations may also consider using a VPN or proxy requiring authentication to limit unauthenticated traffic.Â
Given the likelihood of established footholds and the sophistication of the attack, organizations must engage professional incident response teams. These teams will conduct thorough compromise assessments, hunt for established backdoors, and ensure full threat eradication.
Proven Data offers comprehensive Incident Response (DFIR) services, providing the immediate 24/7 breach response necessary to contain active threats and conduct thorough digital forensics investigations.Â
MITRE ATT&CK
Key tactics and techniques observed in “ToolShell” exploitation include:
1. Initial Access
T1190 Exploit Public-Facing Application, where threat actors leveraged the “ToolShell” vulnerabilities in internet-facing on-premises SharePoint servers to achieve unauthenticated RCE.
2. Execution
T1059.001 Command and Scripting Interpreter: PowerShell is used extensively via web shells to read/transmit MachineKey data, disable real-time monitoring, and drop additional web shells.Â
T1059.003 Command and Scripting Interpreter: Windows Command Shell is employed via cmd.exe and batch scripts to launch PsExec.Â
T1569.002 System Services: Service Execution involves abusing the Windows service control manager to disable Microsoft Defender and launch tools.Â
T1543.003 Create or Modify System Process: Windows Service leverages PsExec to escalate privileges to SYSTEM.Â
T1047 Windows Management Instrumentation (WMI) is used with the Impacket toolkit to execute commands remotely without writing files to disk.
3. Persistence
T1505.003 Server Software Component: Install web shells (e.g., spinstall0.aspx) to maintain persistent access and exfiltrate MachineKeys.Â
T1505.004 Server Software Component: Manipulation of IIS to load suspicious.NET assemblies.Â
T1053.005 Scheduled Task/Job: Create scheduled tasks for continued access.
4. Privilege Escalation
T1484.001 Domain or Tenant Policy Modification: Is used by Storm-2603 to distribute Warlock ransomware in compromised environments, a sophisticated method for widespread malware deployment.
5. Defense Evasion
T1620 Reflective Code Loading is used for payloads, bypassing file-based detections.
T1562.001 Impair Defenses disable or modify tools.Â
T1112 Modify Registry actively disabling Microsoft Defender via direct registry modifications.
6. Credential Access
T1003.001 OS Credential Dumping: Mimikatz uses LSASS Memory to extract plaintext credentials from LSASS memory.
7. Discovery
T1033 System Owner/User Discovery executes whoami commands to enumerate user context.Â
T1005 Data from Local System gathers host and local system information, such as web.config data (containing MachineKeys).
8. Lateral Movement
T1570 Lateral Tool Transfer involves the Impacket toolkit leveraging WMI for remote staging and execution of payloads across the network.
9. Collection
T1119 Automated Collection involved web shells specifically designed to automatically display and exfiltrate MachineKey data.
10. Command and Control
T1090 Proxy Technique saw a fast reverse proxy tool (xd.exe) used for covert C2 communications.
11. Impact
T1486 Data Encrypted for Impact is the ultimate observed impact, with files encrypted through the deployment of 4L4MD4R and Warlock ransomware.
ToolShell IOCs
Indicators of Compromise (IoCs) are crucial digital artifacts that provide tangible evidence of malicious activity within a network or system. Security teams should actively scan their networks, endpoints, and logs for the presence of these files, network connections, and activity patterns. Updating intrusion prevention systems (IPS) and web-application firewalls (WAF) rules to block exploit patterns and anomalous behavior associated with these IoCs is crucial.Â
The confirmed presence of these specific IoCs on an organization’s systems provides concrete, verifiable evidence of a breach, which is crucial for meeting regulatory reporting requirements and supporting insurance claims.
Key IoCs to monitor and hunt for include:
Exploitation Source IP Addresses
These IPs represent the origin points of exploitation attempts or the hosting of malicious payloads.Â
- Noteworthy IPs include 107.191.58[.]76 (delivered spinstall0.aspx web shell)
- 104.238.159[.]149 (delivered spinstall0.aspx web shell; overlaps with Microsoft’s Storm-2603 cluster)
- 96.9.125[.]147 (delivered.NET modules qlj22mpc and bjcloiyq)
- 145.239.97[.]206 (host for 4L4MD4R ransomware download: hxxps://ice.theinnovationfactory[.]it/static/4l4md4r.exe)Â
Additional exploitation sources and reconnaissance IPs associated with the Safing Privacy Network (SPN) have also been identified.
Malicious Files and Hashes
Web Shells:Â
spinstall0.aspx (SHA-256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514) is a key web shell deployed post-exploitation to retrieve MachineKey data.Â
Variations like spinstall.aspx, spinstall1.aspx, spinstall2.aspx are also observed.
.NET Modules:Â
Custom.NET assembly modules delivered to exfiltrate cryptographic MachineKeys, such as qlj22mpc
SHA-256:4A02A72AEDC3356D8CB38F01F0E0B9F26DDC5CCB7C0F04A561337CF24AA84030Â
and bjcloiyqÂ
SHA-256:B39C14BECB62AEB55DF7FD55C814AFBB0D659687D947D917512FE67973100B70
Other Malware/Tools:Â
- debug_dev.jsÂ
- IIS_Server_dll.dllÂ
- SharpHostInfo.x64.exe
- xd.exe
Ransomware Payloads:Â
4L4MD4R ransomware sample hash: 33067028e35982c7b9fdcfe25eb4029463542451fdff454007832cf953feaf1e.
File Paths:Â
Common Deployment Locations
- C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspxÂ
- C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\debug_dev.js
Network Activity Patterns and URLs:Â
- HTTP GET requests for /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx with a python-requests/2.32.3 User-Agent and no referrer field (initial reconnaissance).Â
- Monitoring for POST requests to
/_layouts/15/ToolPane.aspx?DisplayMode=Edit and suspicious requests with the referrer /_layouts/SignOut.aspx (used for initial access).
Command and Control (C2) Domains:Â
- bpp.theinnovationfactory[.]it:445 (C2 server for 4L4MD4R ransomware).
- update.updatemicfosoft.com (Storm-2603 web shell C2 infrastructure).Â
Post-exploitation C2 IPs include: 131.226.2[.]6, 65.38.121[.]198, 134.199.202[.]205, 188.130.206[.]168.
