You are currently viewing Hackers Weaponize SharePoint 0-Day: Widespread Exploitation Ongoing

Hackers Weaponize SharePoint 0-Day: Widespread Exploitation Ongoing

  • Post author:
  • Reading time:8 mins read

A critical zero-day vulnerability chain, called “ToolShell,” is actively exploited in Microsoft SharePoint Server on-premises environments. This sophisticated attack vector leverages vulnerabilities to achieve unauthenticated remote code execution (RCE), bypass multi-factor authentication, and enable persistent access. The flaws impact widely deployed SharePoint versions and are leveraged by diverse threat actors, including state-sponsored groups and ransomware operators. Immediate patching, extensive threat hunting, and the rotation of ASP.NET machine keys are essential to mitigate the risk and evict attackers.

Background on Microsoft SharePoint Server

Microsoft SharePoint Server is a web-based collaborative platform deeply integrated with Microsoft Office services, providing robust document management, storage, and organizational collaboration functionalities. Due to its central role in enterprise data management and its internet-facing exposure, on-premises SharePoint deployments represent high-value targets for cyber attackers seeking extensive access to corporate networks and sensitive information.

Vulnerability Details

  • CVE-IDs: The exploit chain primarily involves CVE-2025-53770 and CVE-2025-53771, bypasses for earlier fixes related to CVE-2025-49704 and CVE-2025-49706.
  • CVSS Score:
    • CVE-2025-53770 has a critical CVSS v3.1 score of 9.8.
    • CVE-2025-53771 has a CVSS v3.1 score of 6.5 (MEDIUM).
    • CVE-2025-49704 has a severity rating of 8.8, and CVE-2025-49706 has a severity rating of 6.5.
  • Vulnerability Type:
    • CVE-2025-53770 deserializes untrusted data flaw (CWE-502), allowing unauthenticated remote code execution.
    • CVE-2025-53771 is described as an improper limitation of a pathname to a restricted directory (‘path traversal’) allowing an unauthorized attacker to spoof over a network.
  • EPSS Score (CVE-2025-53771): The Exploit Prediction Scoring System (EPSS) for CVE-2025-53771 is 0.07%, placing it in the 21.42nd percentile. This indicates a relatively low probability of exploitation compared to all tracked CVEs, although active exploitation in the wild necessitates immediate attention regardless of EPSS score.
  • CISA KEV Catalog: As of July 24, 2025, CVE-2025-53770 has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to act immediately. CVE-2025-53771 is currently not in the CISA KEV catalog.
  • Published/Last Updated: CVE-2025-53771 was published on 2025-07-20 and last updated on 2025-07-24.
  • Affected Products and Versions:
    • SharePoint Server 2016 (on-premises)
    • SharePoint Server 2019 (on-premises)
    • SharePoint Subscription Edition (on-premises)
    • SharePoint Online in Microsoft 365 is not affected.

Infection Method

The “ToolShell” exploitation leverages these vulnerabilities using a multi-step attack chain:

  1. Initial Access: Publicly exposed, unpatched SharePoint servers are scanned for vulnerable endpoints, explicitly targeting the /_layouts/15/ToolPane.aspx endpoint with crafted POST requests.
  2. Exploitation: Attackers exploit the deserialization vulnerability (CVE-2025-53770) chained with the spoofing/path traversal vulnerability (CVE-2025-53771) to achieve unauthenticated remote code execution.
  3. Web Shell Deployment: Custom malicious web shells, primarily spinstall0.aspx and its variants (e.g., spinstall.aspxspinstall1.aspxspinstall2.aspx), are deployed onto the compromised server, often by writing them via PowerShell.
  4. Credential Theft/Token Forgery: The web shell executes functions to retrieve critical cryptographic secrets, including ValidationKeysDecryptionKeys, and CompatabilityMode, collectively known as ASP.NET MachineKey data. These keys are then used to forge valid authentication tokens and sign malicious __VIEWSTATE payloads.
  5. Persistence: The forged authentication tokens enable attackers to maintain persistent access to the compromised SharePoint system, even after initial vulnerabilities are patched. Subsequent post-exploitation activities may include lateral movement and ransomware deployment.

Malware Behavior and Capabilities

Exploiting SharePoint vulnerabilities has led to deploying sophisticated malware and tools, primarily indicating espionage motives, but it has also evolved towards financially motivated attacks such as ransomware.

  • Persistence Mechanism: Malware establishes long-term access by leveraging stolen cryptographic keys to forge authentication tokens, allowing persistent access even after patching efforts.
  • Web Shell Functionality: The spinstall0.aspx web shell serves as a reconnaissance and persistence utility, designed to extract cryptographic secrets (MachineKey values) crucial for maintaining access across load-balanced SharePoint environments and for forging authentication tokens. It is not a traditional command shell but instead focuses on data exfiltration for persistence.
  • Remote Command Access: Post-exploitation activities often include executing PowerShell commands to deploy web shells and other payloads.
  • Credential Theft: Attackers utilize tools like Mimikatz to extract plaintext credentials from LSASS memory after gaining access. The initial web shell is designed to steal cryptographic secrets (keys), which are powerful credentials.
  • Lateral Movement: Threat actors use tools such as PsExec and the Impacket toolkit to execute commands via Windows Management Instrumentation (WMI) to move laterally within compromised networks.
  • Ransomware Deployment: Some threat actors, notably Storm-2603, have been observed deploying Warlock ransomware on affected SharePoint servers.

Techniques Include

The observed attack activities align with several techniques:

  • T1190 – Exploit Public-Facing Application: Entry point via unpatched SharePoint server vulnerabilities.
  • T1059.001 – Command and Scripting Interpreter: PowerShell: Executes attacker commands to deploy webshells and payloads.
  • T1505.003 – Server Software Component: Web Shell: Deployment of spinstall0.aspx and variants for reconnaissance and persistence.
  • T1547.001—Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder: Malware establishes long-term access via forged tokens or persistence mechanisms (implied by persistence).
  • T1003.001 – OS Credential Dumping: LSASS Memory: Mimikatz used to extract credentials from LSASS memory.
  • T1021.002 – Remote Services: SMB/Windows Admin Shares: Lateral movement using PsExec and Impacket.
  • T1119 – Automated Collection: Web shells gather critical cryptographic keys from the server.
  • T1070 – Indicator Removal on Host: Deletes logs post-execution (common anti-forensics, not explicitly detailed in provided data).
  • T1071.001 – Application Layer Protocol: Web Protocols: Command and control (C2) communication over HTTP/HTTPS (implied by web shell operations).

IOCs (Indicators of Compromise)

Organizations should leverage the following indicators for early detection and response:

  • SHA-1 File Hash:
    • F5B60A8EAD96703080E73A1F79C3E70FF44DF271 (SHA-1 of spinstall0.aspx)

Threat Actor Attribution

While formal attribution is pending for all observed activities, the sophistication and objectives of the “ToolShell” exploitation strongly align with nation-state Advanced Persistent Threat (APT) activity. The tactics employed suggest this could be a first-stage implant used for broader espionage, potentially targeting critical sectors such as government, telecommunications, energy, and defense.

Microsoft has specifically identified three China-aligned threat groups actively exploiting these vulnerabilities:

  • Linen Typhoon: This group has been active since 2012 and is known for its focus on intellectual property theft. It primarily targets governmental organizations, defense contractors, and human rights groups. Their involvement indicates a strategic espionage objective behind these attacks.
  • Violet Typhoon: Violet Typhoon has been operating since 2015. It specializes in espionage activities. Their targets typically include former government personnel, non-governmental organizations (NGOs), and educational institutions across North America, Europe, and East Asia, suggesting a broad intelligence-gathering mandate.
  • Storm-2603: Microsoft assesses this China-based actor as involved with medium confidence. Storm-2603 has a history of deploying Warlock and Lockbit ransomware in previous campaigns. Their observed shift to using the SharePoint vulnerabilities to deploy Warlock ransomware indicates an evolving threat, combining espionage capabilities with financially motivated cybercriminal activities.

Additionally, LuckyMouse (APT27), a highly sophisticated Chinese cyberespionage group, has been linked to a backdoor discovered on a Vietnamese machine compromised via the ToolShell vulnerabilities. LuckyMouse primarily targets governments, telecommunications companies, and international organizations, reinforcing the assessment of state-sponsored involvement.

The activity has demonstrated significant geographic reach, affecting targets in the United States, Canada, Austria, Jordan, Mexico, Germany, South Africa, Switzerland, and the Netherlands.

Impact

Successful exploitation of these critical vulnerabilities can lead to severe consequences for affected organizations:

  • Remote device takeover: Complete compromise of SharePoint servers.
  • Enterprise access via VPN gateway compromise: While not a VPN gateway, SharePoint’s central role can grant extensive network access.
  • Credential harvesting and privilege escalation: Theft of cryptographic keys and user credentials, leading to deeper network penetration.
  • Lateral movement within corporate networks: Attackers can expand their foothold across integrated Microsoft services (Office, Teams, OneDrive, Outlook) and other connected systems.
  • Stealthy data exfiltration: Threat actors aim to steal sensitive data, intellectual property, and configurations.
  • Ransomware deployment: Financially motivated groups are deploying ransomware, disrupting operations.

ToolShell Attack Flow

[Attacker] -> [Exploit SharePoint RCE (CVE-2025-53770/53771)] -> [Web Shell Deployment (spinstall0.aspx)] -> [Credential Theft (MachineKeys)] -> [Token Forgery / Persistent Access] -> [C2 Communication]

Mitigation Steps

Organizations must immediately apply these crucial updates and implement comprehensive mitigation strategies to protect their environments effectively.

1. Patch Software:

  • Microsoft has released urgent security updates for SharePoint Server 2016SharePoint Server 2019, and SharePoint Subscription Edition.
  • Apply patches:
    • KB5002768 for SharePoint Server Subscription Edition
    • KB5002754 and KB5002753 for SharePoint 2019
    • KB5002760 and KB5002759 for SharePoint 2016
  • Crucially, patching alone is insufficient. Organizations must also rotate ASP.NET machine keys and restart IIS services to evict attackers and fully invalidate forged tokens.

2. Isolate Devices:

  • Remove unpatched SharePoint SMA devices from public interfaces immediately if patching cannot be applied swiftly.

3. Threat Hunting:

  • Assume compromise and conduct thorough threat hunting activities. Check for outbound HTTPS anomalies, especially to IOCs.
  • Look for altered startup configurations or unexpected web shells (spinstall0.aspx and variants) in SharePoint directories (e.g., C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\).
  • Monitor CPU/memory spikes or reverse shell behavior. Investigate any suspicious process activity related to SharePoint.

4. IOC Monitoring:

  • Leverage the shared indicators of compromise (IPs, SHA-1 hash) for early detection in network traffic, logs, and endpoint security solutions.

5. Security Solution Deployment:

  • Enable Antimalware Scan Interface (AMSI) in Full Mode within SharePoint environments.
  • Deploy Microsoft Defender Antivirus (or equivalent EDR/AV solutions) on all SharePoint servers. These solutions can detect post-exploitation activities and PowerShell-based payloads.

Instantly Fix Risks with Saner Patch Management

Saner Patch Management is a continuous, automated, and integrated software solution designed to proactively address vulnerabilities and instantly fix risks exploited in the wild. The software supports major operating systems like Windows, Linux, macOS, and over 550 third-party applications.

It also facilitates setting up a secure testing environment to validate patches before their broad deployment in a primary production environment. Additionally, Saner Patch Management includes a patch rollback feature, offering a safety net in case of patch failure or system malfunction.

Experience the fastest and most accurate patching software here.