The attack campaign, first detected on July 18, 2025, has compromised dozens of on-premise SharePoint servers globally, enabling attackers to gain complete system control without authentication.
The ToolShell exploit leverages a combination of two previously demonstrated vulnerabilities from Pwn2Own Berlin: CVE-2025-49706 and CVE-2025-49704.
Attackers exploit the /_layouts/15/ToolPane.aspx endpoint using a specific HTTP Referer header /_layouts/SignOut.aspx to bypass authentication mechanisms entirely.
The attack begins with a POST request to /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx, which allows unauthorized file uploads to the SharePoint server. Security researchers noticed the anomalous behavior when IIS logs showed the referer set to /_layouts/SignOut.aspx, indicating requests that should not be authenticated were successfully executing malicious code.
The exploit deploys a PowerShell payload that creates a malicious ASPX file called spinstall0.aspx in the path C:PROGRA~1COMMON~1MICROS~1WEBSER~116TEMPLATELAYOUTS.
This file, likely created using SharPyShell, extracts cryptographic secrets, including the ValidationKey, from the SharePoint server’s MachineKey configuration.
The deployed spinstall0.aspx file (SHA256: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514) serves as a crypto dumper that extracts critical server secrets through .NET reflection methods.
The malicious code invokes System.Web.Configuration.MachineKeySection to retrieve ValidationKey, DecryptionKey, and other cryptographic material essential for generating valid __VIEWSTATE payloads.
Once attackers obtain these keys, they can use tools like ysoserial to craft legitimate, signed ViewState tokens that execute arbitrary commands.
This technique mirrors the CVE-2021-28474 vulnerability but now requires no authentication, creating a complete RCE chain. The extracted keys follow the format: [A-Z0-9]{64}|HMACSHA256|[A-Z0-9]{64}|Auto|Framework20SP1.
Eye Security’s scanning of over 8,000 SharePoint environments revealed widespread compromise, with exploitation waves originating from IP addresses including 107.191.58.76 and 104.238.159.149.
The attacks used Mozilla Firefox 120.0 user agents and targeted SharePoint servers between July 18-19, 2025.
Microsoft has issued official advisories for CVE-2025-53770 and CVE-2025-53771, confirming active exploitation.
Organizations must immediately isolate affected SharePoint servers, rotate all cryptographic keys, and engage incident response teams.
Simply blocking network access is insufficient as persistence mechanisms may already be installed on compromised systems.
The vulnerability affects on-premise SharePoint installations and poses severe risks, including data theft, lateral movement, and long-term persistence through compromised cryptographic material.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
The post SharePoint Zero-Day RCE Flaw Exploited to Gain Full Server Control appeared first on Cyber Security News.
Epic Games has confirmed it will refund D4vd cosmetics to any Fortnite player who makes…
Epic Games has confirmed it will refund D4vd cosmetics to any Fortnite player who makes…
Epic Games has confirmed it will refund D4vd cosmetics to any Fortnite player who makes…
Seth MacFarlane said he is willing to make Ted Season 3 or even another movie,…
Seth MacFarlane said he is willing to make Ted Season 3 or even another movie,…
Michael made a huge $217 million at the global box office, enough to secure the…
This website uses cookies.