Full Report
A zero-day exploit chain—ToolShell—targets on-prem Microsoft SharePoint servers via CVE-2025-53770 & CVE-2025-53771. Learn how attackers achieve RCE, persist access post-patch, and how to defend using YARA rules, Nuclei templates, and Recorded Future’s threat intelligence.
Analysis Summary
# Vulnerability: Actively Exploited ToolShell Exploit Chain Targeting SharePoint Servers
## CVE Details
- CVE ID: CVE-2025-53770, CVE-2025-53771 (Note: Multiple vulnerabilities are involved in the chain)
- CVSS Score: Not explicitly stated, but described as **critical** for both.
- CWE: Insecure Deserialization (CVE-2025-53770), Path Traversal (CVE-2025-53771)
## Affected Systems
- Products: Microsoft SharePoint Servers (On-premises only)
- Versions: Specific versions are not listed, but the scope is *on-premises* SharePoint Servers, particularly those configured with hybrid Active Directory Federation Services (ADFS). SharePoint Online in Microsoft 365 is **not** impacted.
- Configurations: On-premises deployment with hybrid ADFS configuration is highlighted.
## Vulnerability Description
The "ToolShell" exploit chain leverages two critical, unauthenticated vulnerabilities (CVE-2025-53770 and CVE-2025-53771) to achieve Remote Code Execution (RCE) on vulnerable on-premises SharePoint servers.
* **CVE-2025-53770:** Exploits insecure deserialization for RCE.
* **CVE-2025-53771:** Bypasses authentication controls via path traversal.
Successful exploitation results in the theft of SharePoint's `ValidationKey` and `DecryptionKey` (ASP.NET machine keys), granting the attacker persistent access even after other infrastructure patches are applied. A recent iteration uses an in-memory ToolShell payload to exfiltrate these keys via a single HTTP request, avoiding static file artifacts.
## Exploitation
- Status: **Actively being exploited in the wild** (Mass exploitation campaign confirmed).
- Complexity: Implied to be relatively **low** given the mass exploitation and unauthenticated nature.
- Attack Vector: **Network** (Remote, unauthenticated access).
## Impact
- Confidentiality: **High** (Theft of cryptographic keys allows persistent access and likely data disclosure).
- Integrity: **High** (Remote Code Execution allows system modification).
- Availability: **Medium/High** (System compromise can lead to service disruption).
## Remediation
### Patches
- Specific Microsoft patch numbers for CVE-2025-53770 and CVE-2025-53771 are **not provided** in the text. Organizations are urged to apply vendor patches immediately upon release.
### Workarounds
- **Proactively rotate all cryptographic keys** (ValidationKey and DecryptionKey) regardless of whether suspicious files are found, as keys can be stolen post-exploitation.
## Detection
- **Indicators of Compromise (IoCs):**
- Static artifacts (from older variants): `osvmhdfl.dll` (SHA256: `3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997`), `spinstall0.aspx`, `cve.ps1`, `App_Web_spinstall0.aspx.9c9699a8.avz5nq6f.dll`.
- **New TTP:** Look for in-memory payloads executing HTTP requests for key exfiltration, as static web shells may be absent.
- **Detection Methods and Tools:**
- Use provided **YARA rules** to detect the in-memory ToolShell payload.
- Deploy **Nuclei templates** (mentioned as available).
- Use endpoint or network monitoring to search for outbound HTTP requests originating from web service processes that are attempting to exfiltrate configuration or key data.
## References
- Vendor advisories (Microsoft): Required, but not linked.
- Relevant links:
- Researcher disclosure details (defanged): hXXps://x.com/Gi7w0rm/status/1948027800591466773
- YARA Rule Source (defanged): hXXps://cms.recordedfuture.com/uploads/MAL_Tool_Shell_4eab68f2e0.yar
- Previous exploitation details (defanged): hXXps://tria.ge/250723-tes3qshj6t/behavioral1
- Bloomberg report (defanged): hXXps://www.bloomberg.com/news/articles/2025-07-23/tally-of-microsoft-victims-surges-as-hackers-race-to-capitalize