The Cybersecurity and Infrastructure Security Agency (CISA) has released a dire warning to organizations, urging immediate action against a widespread and actively exploited attack chain dubbed “ToolShell” that’s targeting on-premises Microsoft SharePoint servers. The sophisticated campaign, which has been attributed to at least three state-sponsored Chinese threat actors, leverages a chain of vulnerabilities to bypass authentication, achieve remote code execution, and establish persistent access to compromised networks.
The ToolShell exploit chain is not a single flaw but a combination of vulnerabilities that allow attackers to gain full control of vulnerable servers without authentication. The attack leverages two critical vulnerabilities, CVE-2025-53770 and CVE-2025-53771. These newly identified flaws serve as bypasses for earlier security fixes, demonstrating how threat actors are evolving their techniques to stay ahead of security efforts.
Attackers exploiting ToolShell first bypass authentication using a path traversal flaw (CVE-2025-53771) and then use an insecure deserialization vulnerability (CVE-2025-53770) to execute arbitrary code. Successful exploitation allows adversaries to steal cryptographic keys, including SharePoint’s ValidationKey and DecryptionKey, enabling them to maintain persistent access to compromised servers even after patches are applied.
Widespread Impact and Mitigation
Security researchers estimate that hundreds of organizations globally have been affected, including government agencies and critical infrastructure operators. The attack poses a significant threat as a compromised SharePoint server can serve as a launchpad for lateral movement, providing access to other connected Microsoft services like Teams, OneDrive, and Outlook.
Microsoft has released emergency security updates for all supported on-premises versions of SharePoint Server (Subscription Edition, 2019, and 2016). CISA and Microsoft are strongly recommending that administrators apply these updates immediately. However, patching alone may not be sufficient. Organizations that have been exposed should also assume they’re compromised and take additional steps.
What to Do Now
In addition to applying the latest security patches, organizations must take the following critical steps to mitigate the threat and prevent re-entry:
- Rotate ASP.NET Machine Keys: Since attackers can steal these keys to maintain access, organizations must manually rotate them.
- Enable Antimalware Scan Interface (AMSI): Ensure AMSI is enabled in “Full Mode” and deploy an endpoint detection and response (EDR) solution like Microsoft Defender on all SharePoint servers.
- Hunt for Indicators of Compromise (IoCs): Scan for malicious activity, including web shells (e.g.,
spinstall0.aspx) and known malicious IP addresses associated with the campaign. - Implement a Zero Trust Framework: This incident highlights the need for a Zero Trust approach, where no user or device is trusted by default, regardless of their location on the network.
![Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]](https://sumtrix.com/wp-content/uploads/2025/06/30-12-120x86.jpg "Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]")
