Worldwide attacks on the Microsoft SharePoint "ToolShell" vulnerability pose an immediate danger and require immediate action

Worldwide attacks on the Microsoft SharePoint "ToolShell" vulnerability pose an immediate danger and require immediate action

A new zero-day attack, dubbed ToolShell, has been targeting previously unknown vulnerabilities in Microsoft SharePoint on-premises servers. This attack has been confirmed by cybersecurity company Check Point to have resulted in dozens of compromise attempts across government, telecom, and tech sectors since July 7.

The attacks have targeted United States federal and state agencies, universities, energy companies, and an Asian telecommunications company. To mitigate this threat, the following steps are strongly recommended:

1. Immediately Apply Microsoft Emergency Patches Microsoft has released emergency patches for affected SharePoint versions, including SharePoint Subscription Edition and SharePoint Server 2019. Updates for SharePoint Server 2016 are planned. Applying these patches addresses the vulnerabilities CVE-2025-53770 and CVE-2025-53771 that ToolShell exploits.
2. Isolate Vulnerable SharePoint Servers from the Internet Until patches and full remediations are in place, disconnect or isolate public-facing SharePoint servers from internet access to prevent exploitation attempts.
3. Enable Advanced Malware Scanning and Detection Features Enable Microsoft’s Antimalware Scan Interface (AMSI) detection mechanisms and similar endpoint protection tools that can detect malicious PowerShell commands or web shell deployment attempts.
4. Rotate ASP.NET Machine Keys Since attackers exfiltrate cryptographic machine keys, organizations should regenerate and rotate their ASP.NET machine keys immediately after patching and cleansing infected servers.
5. Deploy Detection and Hunting Tools Utilize updated detection tools and hunting packages such as YARA rules and Nuclei templates developed by Recorded Future and cybersecurity vendors to identify in-memory ToolShell payloads and related indicators of compromise.
6. Leverage Endpoint Detection and Response (EDR) Platforms Platforms like CrowdStrike Falcon are confirmed to detect and block behaviors associated with ToolShell exploitation, including blocking of malicious PowerShell commands and web shell write attempts.
7. Monitor and Investigate Suspicious Activity Watch for activity such as unusual POST requests to SharePoint endpoints, attempts to write .aspx web shells, and unexpected network exfiltration over HTTP.
8. Conduct Incident Response and Forensic Analysis In case of suspected compromise, conduct thorough investigation to remove any implanted web shells or in-memory payloads and ensure keys and credentials are reset to prevent persistent access.

Organizations should act urgently given the exploitation is active in the wild and leverages stealthy, in-memory attacks making traditional detection methods less effective. It's important to note that tens of thousands of servers are at risk due to these vulnerabilities, which are currently under active exploitation, according to Check Point.

In addition, Microsoft recommends enabling Antimalware Scan Interface (AMSI), rotating MachineKey twice, temporarily removing public exposure, hunting for indicators, and isolating suspected hosts. The vulnerabilities, labeled CVE-2025-53770 and CVE-2025-53771, are discussed in a Microsoft Defender Vulnerability Management blog post. However, it's worth mentioning that the out-of-band security updates are for Microsoft SharePoint Server 2019 and Microsoft SharePoint Subscription Edition, but a patch has not been released for Microsoft SharePoint Enterprise Server 2016 as of the time of publication.

The vulnerabilities were first discovered on July 18, 2025 by Eye Security. The first signs of exploitation were on July 7, 2025. It's crucial to remember that the term "zero-day" attack refers to when a previously unknown vulnerability is targeted. The issues labeled CVE‐2025‐49704 and CVE‐2025-49706, which were fixed with the July 8, 2025 updates from Microsoft, can still be exploited if an attacker uses the newly discovered exploits.

Stay vigilant and secure, and ensure your SharePoint servers are protected against this threat.

1. To strengthen your cyberssecurity and protect against the ToolShell attack, consider implementing Microsoft's emergency patches for SharePoint versions such as SharePoint Subscription Edition and SharePoint Server 2019.
2. To further secure your servers, enable Microsoft’s Antimalware Scan Interface (AMSI) detection mechanisms and other endpoint protection tools capable of detecting malicious PowerShell commands or web shell deployment attempts.
3. In the wake of this attack, it's crucial to rotate ASP.NET MachineKeys, especially after patching and cleansing infected servers, to prevent the theft of cryptographic keys.
4. To identify potential ToolShell threats, deploy detection and hunting tools like YARA rules and Nuclei templates developed by Recorded Future and other cybersecurity vendors.
5. To enhance your cybersecurity posture, consider leveraging endpoint detection and response (EDR) platforms such as CrowdStrike Falcon, which are confirmed to detect and block behaviors associated with ToolShell exploitation.

Read also: