Security Intelligence
Loading table of contents...
Loading table of contents...
On July 19 and 20, 2025, Microsoft released out-of-band patches for a series of vulnerabilities affecting on-premises SharePoint Server, following reports of active exploitation by multiple threat actors.
The exploit chain, dubbed ToolShell, combines previously patched flaws with new zero-day vulnerabilities to bypass authentication and execute remote code on vulnerable SharePoint instances.
ToolShell leverages a sequence of five vulnerabilities, which can be used to bypass authentication and execute remote code on vulnerable SharePoint instances. The exploit requires only a single unauthenticated POST request, making it highly attractive to threat actors looking for low-effort, high-impact entry points.
The first flaw, tracked as CVE-2025-49706, enables attackers to spoof authentication headers, while CVE-2025-49704 allows remote code execution via unsafe XML deserialization.
The two newer zero-days, CVE-2025-53770 and CVE-2025-53771, bypass Microsoft’s initial patches with only minor changes, such as appending a slash to the vulnerable endpoint. Fortinet also notes the reintroduction of CVE-2020-1147, a legacy deserialization flaw, into the exploit chain.
The vulnerabilities have been exploited in targeted attacks across government, finance, and manufacturing sectors. Both Microsoft and Fortinet have noted that Chinese nation-state actors, including Linen Typhoon, Violet Typhoon, and Storm-2603, are actively leveraging these flaws to deploy web shells and ransomware.
Analyst insight
Microsoft released updated patches that address all known bypasses associated with ToolShell. Organizations running on-premises SharePoint Server are strongly advised to apply these updates.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
In addition to patching, administrators should audit access logs for suspicious POST requests to ToolPane.aspx, review firewall rules to restrict access to vulnerable endpoints, and monitor for signs of unauthorized deserialization activity.
Organizations should treat SharePoint infrastructure as high-value assets and implement layered defenses that go beyond patching. Network segmentation, endpoint monitoring, and behavioral analytics are essential tools in defending against rapidly evolving threats like ToolShell.
Field Effect MDR detects the ToolShell threat using behavioral analytics and telemetry-based detection to identify suspicious activity across endpoints and network traffic.
Specifically, Field Effect detects anomalous POST requests to vulnerable SharePoint endpoints like ToolPane.aspx, flags unauthorized deserialization attempts, and detects web shell deployment patterns such as the creation of spinstall0.aspx. It also correlates process behavior, like w3wp.exe spawning PowerShell or CMD processes, to identify post-exploitation activity consistent with ToolShell campaigns.
Field Effect customers affected by these vulnerabilities would have received AROs alerting them of this threat.
