ToolShell: Microsoft SharePoint Zero-Day Chain Actively Exploited Globally – Auth Bypass & RCE Confirmed
In mid-July, cybersecurity experts at Kaspersky Lab reported a widespread campaign targeting on-premises Microsoft SharePoint servers across the globe. The exploit chain, dubbed ToolShell, enables attackers to gain full control over vulnerable systems by bypassing authentication and executing arbitrary code on targeted servers. Investigators confirmed that the victims included organizations in Egypt, Jordan, Russia, Vietnam, and Zambia—spanning government agencies, financial institutions, manufacturing companies, as well as entities in the forestry and agricultural sectors.
At the heart of the exploit chain lies CVE-2025-49706, a vulnerability in the PostAuthenticateRequestHandler method of the Microsoft.SharePoint.dll library. Under certain conditions, it allows threat actors to bypass authentication checks. Attackers exploited SharePoint’s integration with IIS by spoofing the HTTP Referrer header with links to “/_layouts/SignOut.aspx” and its variants. This tricked the system into treating malicious requests as legitimate.
The bypass was made possible due to flawed path-handling logic: case-insensitive matching and improper exclusion rules meant that even after Microsoft attempted to restrict access to “ToolPane.aspx,” appending a trailing slash was enough to circumvent the protection. This oversight was later cataloged as CVE-2025-53771. Only with the July 20 update—which reinforced path-matching mechanisms—was the ability to spoof referrer headers significantly curtailed.
Another critical attack vector was CVE-2025-49704, a deserialization flaw involving unsafe data. By leveraging the POST parameters “MSOtlPn_Uri” and “MSOtlPn_DWP” sent to “/_layouts/15/ToolPane.aspx,” attackers transmitted malicious XML markup containing a WebPart element. Within this, they embedded the ExcelDataSet object from the Microsoft.PerformancePoint.Scorecards.Client.dll library, exploiting its CompressedDataTable property. Once decoded and decompressed, the data was fed into the BinarySerialization.Deserialize method, ultimately leading to arbitrary code execution via the ExpandedWrapper technique.
To evade type-checking mechanisms, the attackers encapsulated the dangerous ExpandedWrapper object within a nested list, circumventing XmlValidator protections. This vulnerability effectively updated the methodology of CVE-2020-1147, which employed a similar tactic but lacked the layered list structure. Although Microsoft initially attempted to block the ExcelDataSet class by flagging it as unsafe in the web.config file, they failed to mandate execution of the SharePoint Configuration Wizard—rendering the fix ineffective for many users. This misstep led to the release of CVE-2025-53770, a supplemental patch introducing stricter type validation in XmlValidator.
Malware analysis revealed that the first stage of the exploit chain could be triggered by altering a single byte in the request. The elegance and potency of this attack make ToolShell particularly perilous—on par with infamous campaigns like ProxyLogon and EternalBlue. The fact that the exploit affects both client and server components, combined with the public availability of working proof-of-concept code, significantly raises the threat of large-scale compromise.
The combined set of five vulnerabilities—CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771, and the related CVE-2020-1147—forms a powerful exploit chain enabling remote code execution, complete authentication bypass, and SharePoint exploitation via XML injection. Experts strongly urge immediate patching and the deployment of security solutions capable of detecting zero-day threats. Timely remediation remains the only effective barrier against the continued propagation of ToolShell.
