Full Report
ESET Research has been monitoring attacks involving the recently discovered ToolShell zero-day vulnerabilities
Analysis Summary
# Vulnerability: ToolShell Zero-Day Exploitation in Microsoft SharePoint Server
## CVE Details
- **CVE ID**: CVE-2025-53770 (Remote Code Execution), CVE-2025-53771 (Server Spoofing). Note: This chain often includes prerequisite vulnerabilities CVE-2025-49704 and CVE-2025-49706.
- **CVSS Score**: Score/Severity not explicitly provided for the main CVEs in the text, but the exploitation indicates **High** severity.
- **CWE**: Not explicitly specified, but related to insecure deserialization/input validation leading to RCE.
## Affected Systems
- **Products**: Microsoft SharePoint Server (On-premises only).
- **Versions**: SharePoint Subscription Edition, SharePoint 2019, SharePoint 2016.
- **Configurations**: SharePoint Online in Microsoft 365 is **not** impacted.
## Vulnerability Description
The "ToolShell" vulnerability is a set of zero-day flaws in on-premises Microsoft SharePoint servers that are actively being exploited. CVE-2025-53770 is a Remote Code Execution (RCE) vulnerability, and CVE-2025-53771 is a server spoofing vulnerability. Attackers chain these two vulnerabilities, often alongside previously existing flaws (CVE-2025-49704 and CVE-2025-49706), to gain unauthorized entry. Successful exploitation allows threat actors to bypass MFA and SSO, gain entry to restricted systems, deploy malicious webshells (e.g., `spinstall0.aspx`, `ghostfile*.aspx`), and subsequently execute commands via `cmd.exe` for data exfiltration.
## Exploitation
- **Status**: **Exploited in the wild** (Observed starting July 17th, 2025, by cybercriminals and APT groups, including LuckyMouse).
- **Complexity**: Likely **Medium/Low**, as successful exploitation bypasses MFA/SSO.
- **Attack Vector**: **Network** (Exploiting public-facing application).
## Impact
- **Confidentiality**: **High** (Ability to steal sensitive information and deploy backdoors).
- **Integrity**: **High** (Ability to execute arbitrary commands and deploy persistent webshells).
- **Availability**: **Medium/High** (Impacted by webshell deployment and potential system disruption).
## Remediation
### Patches
- As of July 22nd, 2025, **[CVE-2025-53770 and CVE-2025-53771 have been patched]**. Administrators should apply the relevant security updates released by Microsoft for SharePoint Server 2016, 2019, and Subscription Edition immediately.
### Workarounds
- No explicit vendor workarounds are listed in the provided text, but immediate patching is treated as the primary fix. Isolation/segmentation of SharePoint servers pending patching would serve as a general mitigation.
## Detection
- **Indicators of Compromise**: Presence of suspicious ASPX webshell files, particularly those named `spinstall0.aspx`, `ghostfile346.aspx`, `ghostfile399.aspx`, `ghostfile807.aspx`, `ghostfile972.aspx`, or `ghostfile913.aspx`.
- **Detection Methods and Tools**: Monitoring for network connections originating from known attacker IPs listed in Table 1 (e.g., 96.9.125[.]147, 107.191.58[.]76, etc.) targeting SharePoint services. Endpoint detection tools should look for executable commands (`cmd.exe`) spawned by SharePoint processes or unexpected file creations in web application directories. ESET products detected exploitation attempts using the signature `Sharepoint/Exploit.CVE-2025-49704`.
## References
- Microsoft Customer Guidance for SharePoint Vulnerability CVE-2025-53770: hxxps://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- Microsoft Disruption Update: hxxps://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/