Patch SharePoint Now: Microsoft Servers at Risk of New ToolShell RCE Attack

A critical remote code execution (RCE) vulnerability in Microsoft SharePoint is being actively exploited in the wild. If successful, attackers can gain full access to SharePoint content, deploy malicious code, and potentially move laterally to other Windows services, such as Outlook, Teams, and OneDrive.

While Microsoft patched the two vulnerabilities that made the exploit, named ToolShell, possible in July’s Patch Tuesday rollout on July 18, Eye Security noticed that dozens of systems were being actively compromised with ToolShell. The giveaway was that attackers were writing files to the server for a RCE attack without prior authentication, and they utilised two new zero-day vulnerabilities that bypassed Microsoft’s patches.

How the ToolShell RCE attack works

Attackers send an HTTP request containing the malicious payload spinstall0.aspx to an on-premises SharePoint Server, either version 2016 or 2019. The request targets a vulnerable endpoint (CVE-2025-53770) that processes serialised data before performing any authentication checks, allowing the attacker to send it without needing valid credentials.

The spinstall0.aspx web shell extracts SharePoint’s MachineKey configuration, including the ValidationKey, using a simple GET request, exploiting the CVE-2025-53771 vulnerability. The MachineKey material, along with a specialised tool called ysoserial, can be used by the attacker to generate __VIEWSTATE payloads that appear to come from an authenticated user.

Any malicious code embedded into these valid payloads will be accepted by the server, potentially allowing the attacker to exfiltrate data, install additional backdoors, or modify site content.

ToolShell was first identified as a potential exploit chain at the Pwn2Own hacking competition at OffensiveCon Berlin in May by Dinh Ho Anh Khoa of Viettel Cyber Security. This was later reproduced in a proof-of-concept by the German cyber security firm CODE WHITE.

How to protect your SharePoint server from compromise

• Deploy the appropriate out-of-band security updates from Microsoft for SharePoint Server Subscription Edition and SharePoint Server 2019. One is not available for SharePoint Server 2016 at the time of publication.
• Monitor for indicators of compromise, such as POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit and the malicious IP addresses 107.191.58[.]76, 104.238.159[.]149, 96.9.125[.]147.
• Adjust the intrusion prevention system and web application firewall to block serialised payload patterns and forged __VIEWSTATE requests.
• Minimise layout and administrative privileges within the SharePoint environment.
• Configure Antimalware Scan Interface (AMSI) in SharePoint and deploy Microsoft Defender Antivirus on all SharePoint services.
• If AMSI is not possible, disconnect public-facing services from the internet until appropriate mitigation measures are implemented.
• If no appropriate mitigations are provided, either discontinue the use of the products or follow the applicable BOD 22-01 guidance for cloud services.

What to do if you suspect your SharePoint server has been compromised

If you suspect your company’s SharePoint server has been compromised, you should:

• Isolate or shut down the affected SharePoint servers.
• Renew all credentials, cryptographic material, and other system information that could have been exposed via the spinstall0.aspx.
• Engage a cyber security team to check if the attackers have maintained persistence through backdoors or other methods. They can also scan for historic indicators of compromise as well as update firewall rules and the intrusion prevention system.

Microsoft patched 137 flaws in July’s Patch Tuesday rollout; however, if your Azure virtual machine is failing to launch, one of those patches may be the reason.