China-linked ToolShell hacking group's exploits associated with Microsoft's SharePoint platform
A critical remote code execution (RCE) vulnerability, CVE-2025-53770, has been identified in Microsoft's SharePoint Server. This flaw, with a CVSS rating of 9.8, is currently being actively exploited in the wild, primarily affecting on-premise SharePoint servers.
The vulnerability is part of a multi-stage exploit chain, often referred to as the "ToolShell" attack chain. Attackers exploit this vulnerability by sending a specially crafted HTTP request to the /layouts/15/ToolPane.aspx endpoint, using a unique Referer header value. This bypasses authentication and allows the upload of a malicious ASPX web shell named spinstall0.aspx.
Once deployed, the web shell extracts the server’s cryptographic MachineKey, including the ValidationKey, enabling attackers to create valid signed __VIEWSTATE payloads for unauthenticated remote code execution. The exploit chain also leverages other vulnerabilities, such as CVE-2025-49704 and CVE-2025-49706, to gain full access to SharePoint content, execute code remotely, and maintain persistence.
The threat landscape is characterised by multi-actor, deliberate campaigns that are highly capable and designed for persistence, even surviving patch applications. Attackers have been seen deploying various payloads such as .aspx web shells, .dll payloads, and even ransomware like Warlock after initial compromise. The intrusion potentially grants access not only to SharePoint but also to Microsoft’s wider ecosystem, including Office, Teams, OneDrive, and Outlook, risking broader network compromise.
Mitigation guidance includes applying the latest Microsoft patches, monitoring for indicators of compromise tied to these exploits, and deploying detection heuristics focusing on anomalous uploads and unusual use of the ToolPane.aspx endpoint with crafted Referer headers.
Security experts, such as Gabrielle Hempel, Security Operations Strategist at Exabeam, see clear echoes of the 2021 Exchange server attacks in this campaign. This incident serves as a reminder that defending hybrid environments requires more than just patching and monitoring the perimeter. Limiting east-west movement is crucial, as it is often invisible to perimeter-focused defenses.
The attack has affected more than 100 organisations, including government agencies, schools, and energy companies. Some attackers gained access before the patch for CVE-2025-53770 was available. Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, has warned that the threat has already expanded beyond a single source.
Microsoft's Threat Intelligence team has formally attributed the campaign to a China-based threat actor. The campaign is driven by a modified version of ToolShell, a remote access trojan previously linked to Chinese espionage groups. Organisations that failed to patch quickly or correctly are still vulnerable to attacks.
Defending hybrid environments demands real visibility, fast detection, and a plan for persistence. Nation-state attackers do not rely on zero-days alone and can adapt faster than most organisations can respond. Microsoft and other experts recommend auditing and isolating SharePoint servers, especially those exposed externally.
ToolShell is integrated into SharePoint workflows, allowing attackers to blend into normal traffic, evade detection, and operate freely inside the network. Organisations should search for signs of ToolShell or unusual behaviour in SharePoint logs and lateral traffic. It is essential to stay vigilant and promptly apply patches to mitigate the risk of these sophisticated attacks.
[1] Microsoft Security Response Centre Blog Post [2] The Hacker News [3] CyberScoop [4] BleepingComputer
- In light of the ongoing threat from the China-based threat actor using the modified ToolShell RAT, it's crucial for technology businesses, especially those in sectors like government, education, and energy, to prioritize cybersecurity measures and act promptly to implement the latest updates and patches, such as the one for CVE-2025-53770.
- The multi-actor, highly capable campaign targeting Microsoft's SharePoint Server, with its indication of blending attacks into normal traffic through ToolShell, serves as a reminder for politics, general-news, and cybersecurity communities about the importance of real-time detection and defending hybrid environments, emphasizing the need for strategies beyond perimeter monitoring and prompt patching.
