On Saturday, July 19th, flaws in Microsoft SharePoint Server became the subject of emergency cybersecurity alerts worldwide. Four CVEs are involved and collectively dubbed “ToolShell”; two published in early July already had patches available, but after being bypassed, two new CVEs were issued. The flaws can allow unauthenticated remote code execution (RCE) at the Windows SYSTEM level.

So far, mass exploitation attacks have breached the US Nuclear Weapons Agency and over 400 other organizations including multi-national corporations, healthcare and other government services, financial service providers, and energy critical infrastructure. Active exploitation was first observed by Eye Security and three CVEs have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog and tied to ransomware attacks by Chinese state-sponsored threat actors. Several public proof of concept (PoC) exploit kits are available [1][2][3]. National CERT advisories have been issued from many countries including CERT-EU [4], the Netherlands [5], New Zealand [6], Canada [7], and Germany [8]. The Shadowserver Foundation has observed over 9,000 public facing SharePoint IP addresses globally.

OPENVAS SECURITY INTELLIGENCE by Greenbone includes version detection tests [9][10][11][12], a direct active check [13] for all ToolShell CVEs, and an active check for associated indicators of compromise (IoC) [14] in our ENTERPRISE FEED. OPENVAS ENTERPRISE FEED customers should verify their feed update status regularly to ensure their appliance includes the latest vulnerability checks. Let’s review the details surrounding these elusive ToolShell bugs.

A Timeline of ToolShell Events

Here is a brief timeline of ToolShell events so far:

• May 16th, 2025: The flaws were first disclosed at Day 2 of Pwn2Own Berlin 2025 by Dinh Ho Anh Khoa of Viettel Cyber Security.
• July 8th, 2025: Ineffective patches were issued via Microsoft’s July 2025 Security Update and two CVEs were published: CVE-2025-49706 and CVE-2025-49704.
• July 14th, 2025: CODE WHITE GmbH posted a successful reproduction of the exploit.
• July 18th, 2025: Eye Research reported observation of exploit campaigns underway and noted bypass of patched versions.
• July 19th, 2025: Microsoft acknowledged active exploitation and outlined mitigation steps. Two new vulnerabilities were published corresponding to the patch bypass: CVE-2025-53770 and CVE-2025-53771.
• July 20st, 2025: CISA added CVE202553770 to the KEV catalog, specifying that patching was mandatory and immediate.
• July 22nd, 2025: CISA added CVE-2025-49706 and CVE-2025-49704 to the KEV catalog, again specifying mandatory next-day remediation.
• July 23rd, 2025: Microsoft and CISA acknowledge ToolShell is being leveraged in ransomware attacks by Chinese state threat actors and updates guidance.

The ToolShell CVEs in Microsoft SharePoint

When the original “ToolShell” flaws (CVE-2025-49706 and ) were first exposed in May, 2025, no technical details were published with the hack, but the disclosure led to official patches by mid-July. However, security researchers soon observed attacks bypassing fully patched servers. Two new vulnerabilities have been published in response (CVE-2025-53770 and CVE-2025-53771).

Here are brief details for each ToolShell CVE:

• CVE-2025-49704 (CVSS 8.8): Improper code generation (aka “code injection”) [CWE-94] allows an authorized attacker to execute code remotely. According to Cisco Talos, the flaw can be exploited by an authenticated attacker with Site Member privileges, while Microsoft indicates that Site Owner privileges are required. According to Microsoft, exploitation is trivial with a high likelihood of successful attack.
• CVE-2025-49706 (CVSS 6.3): Improper authentication [CWE-287] allows an authorized attacker to perform spoofing over a network.
• CVE-2025-53770 (CVSS 9.8): Deserialization of untrusted data [CWE-502] allows an unauthorized attacker to execute code [CWE-94] over a network. This is a variant of CVE-2025-49704.
• CVE-2025-53771 (CVSS 6.3): Improper limitation of a pathname to a restricted directory [CWE-22] (aka “path traversal”) allows an authorized attacker to perform spoofing over a network. This is a variant of CVE-2025-49706.

The ToolShell Attack Details:

Exploiting ToolShell allows unauthenticated RCE on vulnerable Microsoft SharePoint Servers. Here’s how the attack unfolds:

1. CVE-2025-49706 allows access to internal SharePoint services by manipulating the header Referer: /_layouts/SignOut.aspx to bypass request validation logic. This tricks SharePoint’s request validation logic into treating the request as authenticated, even though no real session or credentials exist.
2. Simultaneously, a malicious __VIEWSTATE payload is sent to the /_layouts/15/ToolPane.aspx endpoint which includes a specially crafted .NET gadget chain to exploit the CVE-2025-53770 deserialization flaw. __VIEWSTATE payloads are serialized ASP.NET objects meant to synchronize UI control state between the user’s browser and the SharePoint backend server.
3. The deserialization flaw allows exe or PowerShell commands to be executed as the Windows SYSTEM user and full control of an affected system.
4. With full admin control, attackers were observed installing malicious ASPX web shells (named aspx among other filenames) to extract the breached system’s MachineKey configuration (ValidationKey and DecryptionKey) allowing persistent authenticated access.
5. With these stolen access tokens, attackers may continue to submit valid __VIEWSTATE payloads using the .

Mitigating ToolShell Attacks Against Microsoft SharePoint

ToolShell affects on-premises editions of Microsoft Office SharePoint 2016, 2019, Subscription Edition as well as end-of-life (EOL) editions such as SharePoint Server 2010 and 2013. Users must apply the latest patches as soon as possible. Also, keep in mind that CVE-2025-49704 and CVE-2025-49706 were patched in Microsoft’s July 2025 Security Update, however, the discovery of bypass exploits resulted in the need for new patches:

• KB5002754 for Microsoft SharePoint Server 2019 Core
• KB5002768 for Microsoft SharePoint Subscription Edition
• KB5002760 for Microsoft SharePoint Enterprise Server 2016
• SharePoint Server 2010 and 2013 are affected, but will not be patched due to their EOL status
• SharePoint Online for Microsoft 365 is NOT vulnerable

Microsoft’s guidance instructs users to enable AMSI with Full Mode and use Microsoft Defender Antivirus to prevent successful attacks. Defenders should also assume their systems have been compromised and hunt for IoC identified in observed campaigns. In addition to identifying and removing any malware infection, users should mitigate the risk posed by stolen credentials. This is accomplished by rotating their ASP.NET machine keys using PowerShell (Update-SPMachineKey) or through the Central Administration’s Machine Key Rotation Job, then restart IIS with iisreset.exe.

Summary

The ToolShell attack chain puts users at risk of unauthenticated RCE. The attack is an authentication bypass followed by flawed deserialization for RCE. Although patches for CVE-2025-49704 and CVE-2025-49706 were issued in July 2025, new variants (CVE-2025-53770, CVE-2025-53771) have been discovered and are now being actively exploited globally. Defenders must apply all available updates as soon as they become available, remove any persistent malware infection installed by attackers, rotate machine keys, and verify resilience. OPENVAS SECURITY INTELLIGENCE can swiftly and reliably detect vulnerable instances of Microsoft SharePoint and over 180.000 additi