Hackers Exploit Critical SharePoint Vulnerability for Full Server Takeover

Credited by Pixabay

VTA-004526 – Hackers Exploit Critical SharePoint Vulnerability for Full Server Takeover

A newly discovered cyberattack campaign is exploiting a critical vulnerability chain in Microsoft SharePoint servers, allowing attackers to gain full remote control without authentication. Dubbed “ToolShell,” this attack combines two flaws (CVE-2025-49706 and CVE-2025-49704) to bypass security measures and install persistent backdoors.

Researchers said the exploit targets SharePoint’s /ToolPane.aspx endpoint, stealing cryptographic keys like ValidationKey and DecryptionKey to craft malicious payloads. These payloads trick SharePoint into accepting unauthorized commands, granting attackers complete system access. Unlike typical web shells, this method abuses SharePoint’s trust in its own configuration.

The attacks began shortly after the public disclosure, with two distinct waves originating from the IP addresses 107.191.58.76 and 104.238.159.149. Microsoft has released patches for the affected versions (SharePoint 2016, 2019, and Subscription Edition); however, organizations must also scan for existing compromises, as patching alone will not remove attackers who may already have access.

Severity:
Medium

Attack Surface:
Content Management System, Office 365, Server OS, Web Application

Tactics:
Credential Access, Defense Evasion, Execution, Initial Access, Persistence, Privilege Escalation

Techniques:
T1190 – Exploit Public-Facing Application
T1505.003 – Server Software Component: Web Shell
T1552.001 – Unsecured Credentials: Credentials in Files
T1059.001 – Command-Line Interface
T1133 – External Remote Services

Indicator of Compromise :
1. https://otx.alienvault.com/pulse/6881f3b06089312bc783d34d

References:
1. https://research.eye.security/sharepoint-under-siege/

SuperPRO’s Threat Countermeasures Procedures:
1. Apply Microsoft’s July 2025 security updates immediately.
2. Scan systems for signs of compromise, particularly unauthorized ASPX files.
3. Monitor network traffic from the attacker IPs listed in the IoCs.
4. Check server logs for suspicious requests to /_layouts/15/ToolPane.aspx.
5. Validate SharePoint cryptographic keys for unexpected changes.
6. Restrict external access to SharePoint administrative interfaces if possible.

Contributed by: Fatini