Dissecting the SharePoint ToolShell Vulnerability Kill Chain (CVE‑2025‑53770 and CVE‑2025‑53771)

In the ever-evolving landscape of cybersecurity threats, Microsoft SharePoint servers have become a prime target for sophisticated exploits. As of July 2025, a zero-day vulnerability chain dubbed "ToolShell" is being actively exploited, allowing unauthenticated remote code execution (RCE) on on-premises SharePoint installations. This chain poses significant risks to organizations relying on SharePoint for collaboration and data management. In this technical blog, we'll break down the vulnerability details and map the exploitation process to the cyber kill chain framework, providing insights for security professionals to better understand and defend against these attacks.

Understanding the Vulnerabilities

The ToolShell exploit chain primarily revolves around a critical authentication bypass and RCE vulnerability (CVSS 9.8) caused by unsafe deserialization of untrusted data in SharePoint's ToolPane functionality. This is often chained with a path traversal or security bypass flaw and builds on previously patched issues like arbitrary file write/RCE and spoofing vulnerabilities.Affected systems include all supported on-premises versions:

• SharePoint Server Subscription Edition

• SharePoint Server 2019

• SharePoint Server 2016

SharePoint Online in Microsoft 365 remains unaffected. The chain exploits a logic flaw in Referer header validation at the /layouts/15/ToolPane.aspx?DisplayMode=Edit endpoint, enabling attackers to access administrative features without authentication. Once inside, attackers can upload malicious ASPX files (e.g., webshells like spinstall0.aspx) to directories such as C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\, extract sensitive MachineKey data (ValidationKey and DecryptionKey), and achieve full RCE.Tools like SharpPyShell and ysoserial.net are commonly used to craft webshells and generate signed __VIEWSTATE payloads for deserialization attacks. Observed payloads include password-protected webshells and fileless in-memory executions to evade detection.

The Cyber Kill Chain: Step-by-Step Exploitation

The cyber kill chain outlines the stages of a targeted attack. For the ToolShell chain, attackers—often linked to sophisticated groups—follow a structured approach to compromise SharePoint servers. Below, we map the observed tactics to each stage.

1. Reconnaissance

Attackers scan for internet-facing SharePoint servers, identifying vulnerable versions (2016, 2019, Subscription Edition) and exposed endpoints like /layouts/15/ToolPane.aspx. Targets often include sectors such as technology consulting, manufacturing, critical infrastructure, and professional services. This phase involves passive intelligence gathering, potentially using tools to enumerate server banners or public vulnerability disclosures.

2. Weaponization

Exploits are crafted by combining the zero-day with patched vulnerabilities. Proof-of-concept code surfaced shortly after patches, enabling rapid weaponization. Attackers prepare malicious POST requests with forged Referer headers (e.g., set to /SignOut.aspx) and embed PowerShell commands or webshell payloads. Tools like ysoserial.net generate serialized gadgets for deserialization attacks.

3. Delivery

The payload is delivered through a single, unauthenticated HTTP POST to the vulnerable ToolPane.aspx endpoint. No user interaction is required, making it ideal for automated scans and exploits.

4. Exploitation

Upon delivery, the server deserializes untrusted data, triggering the initial RCE. This allows arbitrary file writes, deploying webshells such as spinstall0.aspx or executing in-memory .NET modules. Commands like cmd.exe /c whoami > info.js validate execution, often revealing system-level privileges.

5. Installation

For persistence, attackers install webshells in SharePoint directories. These support command execution, file uploads, and authentication via cookies. Some variants use fileless techniques, reflectively loading payloads in IIS processes to avoid disk writes. Stolen MachineKeys enable forged tokens, maintaining access post-patching.

6. Command and Control (C2)

Webshells facilitate ongoing C2, allowing remote command execution and data exfiltration. Attackers extract cryptographic keys via GET requests to the webshell, using them to impersonate users and craft valid payloads. This enables lateral movement within the network.

7. Actions on Objectives

Final goals include data theft, credential harvesting, and establishing footholds for broader attacks. Extracted MachineKeys allow decryption of sensitive data or persistent access, potentially leading to ransomware or espionage. Exploitation waves since July 7, 2025, target governments and tech firms globally.

Mapping to the MITRE ATT&CK Framework

To provide a more comprehensive view of the threat, we map the ToolShell exploitation to the MITRE ATT&CK framework. This highlights the tactics and techniques attackers employ, aiding in threat modeling and defense prioritization.

• Reconnaissance (TA0043): Active Scanning (T1595) – Scanning for exposed SharePoint servers and vulnerable endpoints.

• Initial Access (TA0001): Exploit Public-Facing Application (T1190) – Exploiting the ToolPane.aspx endpoint via forged Referer headers for unauthenticated access.

• Execution (TA0002): Command and Scripting Interpreter (T1059) – Using PowerShell or cmd.exe to execute malicious commands post-exploitation.

• Persistence (TA0003): Server Software Component: Web Shell (T1505.003) – Deploying webshells like spinstall0.aspx in SharePoint directories for ongoing access.

• Defense Evasion (TA0005): Masquerading (T1036) – Forging __VIEWSTATE payloads and using fileless techniques to evade detection.

• Credential Access (TA0006): Steal Application Access Tokens (T1528) – Extracting MachineKeys to forge authentication tokens.

• Collection (TA0009): Data from Information Repositories (T1213) – Harvesting sensitive data from SharePoint repositories.

• Command and Control (TA0011): Application Layer Protocol: Web Protocols (T1071.001) – Using HTTP/HTTPS for C2 via deployed webshells.

• Exfiltration (TA0010): Exfiltration Over C2 Channel (T1041) – Transferring stolen data over the established webshell connection.

This mapping underscores the multi-stage nature of the attack, aligning closely with the cyber kill chain.

Mitigation Strategies

To defend against ToolShell:

• Patch Immediately: Apply emergency updates for affected versions (Subscription Edition build 16.0.18526.20508, Server 2019 build 16.0.10417.20037, Server 2016 build 16.0.5513.1001).

  
  

• Enable AMSI: Turn on Antimalware Scan Interface in Full Mode on SharePoint servers.

  
  

• Rotate Keys: Post-patch, rotate ASP.NET MachineKeys and restart IIS.

  
  

• Network Controls: Isolate servers behind VPNs or proxies; monitor for suspicious POST requests to ToolPane.aspx.

  
  

• Detection: Use EDR tools to hunt for IOCs, such as webshell files or anomalous IIS behavior.

Threat Hunting Queries

Proactive threat hunting is crucial for detecting ToolShell exploitation. Below are example queries tailored for Microsoft Sentinel, CrowdStrike, and SentinelOne. These focus on indicators like anomalous file creations, process executions, and network activity.

MicroSoft Sentinel (KQL Queries)

Hunting Query for Exploitation Chain (w3wp.exe -> cmd.exe -> PowerShell with Encoded Command):

DeviceProcessEvents
| where InitiatingProcessFileName has "w3wp.exe"
and InitiatingProcessCommandLine !has "DefaultAppPool"
and FileName =~ "cmd.exe"
and ProcessCommandLine has_all ("cmd.exe", "powershell")
and ProcessCommandLine has_any ("EncodedCommand", "-ec")
| extend CommandArguments = split(ProcessCommandLine, " ")
| mv-expand CommandArguments to typeof(string)
| where CommandArguments matches regex "^[A-Za-z0-9+/=]{15,}$"
| extend B64Decode = replace("\\x00", "", base64_decodestring(tostring(CommandArguments)))   
| where B64Decode has_any ("spinstall0", @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS', @'C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS')

Hunting Query for Webshell File Creation (spinstall0.aspx):

DeviceFileEvents 
| where FolderPath has_any ("microsoft shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS", "microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS") 
| where FileName contains "spinstall"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256 
| order by Timestamp desc

CrowdStrike (Falcon Query Language)

Hunting Query for Exploitation Chain (cmd.exe -> PowerShell -> ASPX Write):

correlate(
    cmd: {
        #event_simpleName=ProcessRollup2 event_platform=Win FileName="cmd.exe" ParentBaseFileName="w3wp.exe"
    } include: [aid, ComputerName, TargetProcessId, ParentBaseFileName, FileName, CommandLine],
    pwsh: {
        #event_simpleName=ProcessRollup2 event_platform=Win FileName="powershell.exe"
        | aid <=> cmd.aid
        | ParentProcessId <=> cmd.TargetProcessId
    } include: [aid, ComputerName, TargetProcessId, ParentBaseFileName, FileName, CommandLine],
    aspx: {
        #event_simpleName=/^(NewScriptWritten|WebScriptFileWritten)$/ event_platform=Win FileName=/\.aspx/i
        | aid <=> cmd.aid
        | ContextProcessId <=> pwsh.TargetProcessId
    } include: [aid, ComputerName, TargetFileName],
sequence=true, within=5m)

Detection Rule for Malicious POST Requests:

#Vendor="microsoft" #event.module="iis" #event.dataset="iis.access" #repo!="xdr*" | http.request.method="POST" url.path="/_layouts/15/ToolPane.aspx" url.query="DisplayMode=Edit&a=/ToolPane.aspx" http.request.referrer="/_layouts/SignOut.aspx" | http.response.status_code =~ in(values=[200,302])

SentinelOne (Deep Visibility Queries)

Suspicious SharePoint Activity:

dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.parent.name contains "svchost.exe" and src.process.name contains "w3wp.exe" and tgt.process.name contains "cmd.exe" and src.process.cmdline contains "SharePoint"

spinstall0.aspx Execution Traces:

dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.name contains "csc.exe" and tgt.file.path contains "App_Web_spinstall0.aspx"

These queries can be adapted based on your environment and should be run regularly to identify potential compromises.

Conclusion

The ToolShell kill chain exemplifies how chained vulnerabilities can lead to devastating breaches in enterprise environments. By understanding each stage—from reconnaissance to objective achievement—and mapping to frameworks like MITRE ATT&CK, organizations can implement layered defenses to disrupt attacks early. Stay vigilant, patch promptly, and monitor your SharePoint deployments closely. For tailored security assessments, contact Inception Security at Inception Security.