Critical Alert: Protecting Your SharePoint Servers from ToolShell Exploits

| Posted on |

Introduction

In recent months, our Managed Detection and Threat Response (MDTR) team has been closely monitoring emerging trends in cybersecurity threats. One area of concern that has come to our attention is the critical vulnerability affecting on-premises Microsoft SharePoint servers, identified as CVE-2025-53770. As we analyzed the threat landscape, we identified potential exploitation risks in Nigeria, particularly concerning internet-facing SharePoint servers that may be vulnerable to this exploit.

To ensure the safety of our partners and clients, we have proactively notified the Computer Emergency Response Team (CERT) and other stakeholders through our internal communication portal. This blog post aims to provide an overview of the vulnerability, its implications, and recommended actions to mitigate risks.

Understanding the Vulnerability

CVE Overview

  • CVE Identifier: CVE-2025-53770 CVSS Score: 9.8 (Critical)
  • Impact: This vulnerability allows attackers to write malicious files to the server and extract sensitive cryptographic keys from SharePoint configuration files. This capability enables the creation of legitimate-looking signed payloads, granting full control over the server.

Related Vulnerabilities

This CVE, along with CVE-2025-53771, are considered a variant of the earlier vulnerabilities CVE-2025-49704 and CVE-2025-49706, which were demonstrated during Pwn2Own Berlin in May 2025 as part of a working unauthenticated exploit chain..

Threat Activity

Our investigations have revealed that attackers are actively exploiting this vulnerability to gain unauthorized access to internet-facing SharePoint servers. The exploitation process typically involves:

  • Uploading web shells and deploying PowerShell payloads without requiring user interaction.
  • Importantly, this vulnerability affects only on-premises SharePoint servers; SharePoint Online within Microsoft 365 is not impacted.

Payloads Observed

During our analysis, we noted that beyond the typical web shells, such as .aspx and .exe files, .dll payloads have also been observed. Recently, threat actors have been seen encrypting files and distributing Warlock ransomware on compromised systems as reported by CISA.

Malicious IP Addresses

Several malicious IP addresses linked to these attacks include:

Recommended Actions

To protect your systems from this vulnerability, we strongly recommend the following actions:

  1. Monitor for Suspicious Activity:
    • Keep an eye out for unusual POST requests to the /layouts/15/ToolPane.aspx endpoint.
    • Check for unexpected .aspx files on your servers.
  2. Watch for Malicious IPs:
    • Monitor activity originating from the identified malicious IP addresses.
  3. Rotate ASP.NET MachineKeys:
    • As a precautionary measure, rotate your ASP.NET MachineKeys immediately.
  4. Apply Security Updates:
    • Ensure that all relevant Microsoft security updates are applied to your SharePoint servers.

For the most up-to-date information on Indicators of Compromise (IoCs) and remediation,  please refer to guidance from Microsoft and CISA.

Conclusion

The ToolShell vulnerability poses a significant threat to organizations using on-premises SharePoint servers. Our MDTR team remains vigilant and committed to ensuring the security of our partners and clients. We encourage all organizations to assess their current services, take the necessary precautions, and stay informed about the latest developments. By working together, we can enhance our defenses against potential exploitation attempts and safeguard our digital environments.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top