Multiple Hacker Groups Exploit SharePoint 0-Day Vulnerability in the Wild

Microsoft has confirmed that a pair of zero-day vulnerabilities in on-premises SharePoint Server, collectively dubbed ToolShell, are under active exploitation by diverse threat actors ranging from opportunistic cybercriminals to sophisticated nation-state advanced persistent threat (APT) groups.

ToolShell encompasses CVE-2025-53770, a critical remote code execution (RCE) flaw allowing unauthenticated attackers to execute arbitrary code on vulnerable servers, and CVE-2025-53771, a server spoofing vulnerability that facilitates bypassing authentication mechanisms like multi-factor authentication (MFA) and single sign-on (SSO).

These issues exclusively impact supported versions of SharePoint Server 2016, 2019, and Subscription Edition, leaving SharePoint Online in Microsoft 365 unaffected.

Overview of the ToolShell Vulnerabilities

Exploitation began with attackers chaining ToolShell with previously patched vulnerabilities, including CVE-2025-49704 and CVE-2025-49706, to achieve initial access and deploy persistent webshells.

This chain enables threat actors to infiltrate restricted systems, extract sensitive data, and potentially pivot across integrated Microsoft services such as Office, Teams, OneDrive, and Outlook, amplifying the attack’s scope within enterprise networks.

Telemetry data indicates widespread attacks, with the United States accounting for 13.3% of incidents, followed by detections in Germany, Italy, and other regions globally.

Notably, China-aligned APTs, including LuckyMouse, a group known for targeting governments, telecommunications, and international organizations, have incorporated ToolShell into their operations, as evidenced by a backdoor deployment on a compromised Vietnamese system.

According to ESET researchers, while the exact infection vector remains unclear, the presence of such malware suggests either prior compromise or opportunistic chaining during exploitation attempts.

Microsoft released comprehensive patches via cumulative security updates (e.g., KB5002768 for Subscription Edition), which fully mitigate both CVEs when applied alongside enabling the Antimalware Scan Interface (AMSI) in full mode and rotating ASP.NET machine keys using PowerShell commands like Set-SPMachineKey and Update-SPMachineKey, followed by an IIS restart.

Mitigation Strategies

Post-exploitation, attackers frequently deploy malicious ASP.NET webshells, such as spinstall0.aspx (tracked as MSIL/Webshell.JS with SHA-1 F5B60A8EAD96703080E73A1F79C3E70FF44DF271), which enables command execution via cmd.exe and data exfiltration.

Additional webshell variants observed include ghostfile346.aspx, ghostfile399.aspx, ghostfile807.aspx, ghostfile972.aspx, and ghostfile913.aspx, often written to SharePoint’s Web Server Extensions directories.

Monitoring reveals exploitation originating from over a dozen IP addresses with peak activity from sources like 154.223.19.106 and 141.164.60.10, hosted by providers such as Kaopu Cloud HK Limited and The Constant Company, LLC.

These attacks involve encoded PowerShell commands spawned by w3wp.exe processes, targeting layouts folders to install backdoors.

Microsoft Defender Antivirus detects related behaviors under names like Exploit:Script/SuspSignoutReq.A and Trojan:PowerShell/MachineKeyFinder.DA!amsi, while Defender for Endpoint raises alerts for suspicious IIS worker processes and potential webshell installations.

Advanced hunting queries in Microsoft 365 Defender, such as those scanning DeviceFileEvents for spinstall0.aspx creations or DeviceProcessEvents for anomalous cmd.exe invocations with base64-encoded payloads, aid in identifying compromises.

For unpatched systems, Microsoft advises disconnecting from the internet or routing through authenticated proxies/VPNs.

To counter ongoing threats, organizations must upgrade to supported SharePoint versions, apply the latest updates immediately, ensure AMSI integration (enabled by default since September 2023 updates), deploy endpoint protection like Defender for Endpoint, and rotate machine keys to invalidate stolen credentials.

Given the rapid adoption by APTs and the exploit’s simplicity, unpatched environments remain at high risk, with expectations of increased opportunistic attacks exploiting this all-you-can-eat buffet for threat actors.

Indicators of Compromise (IoCs)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!