Threat Analysis: Microsoft SharePoint ‘ToolShell’ Exploits

ToolShell is a recently disclosed set of vulnerabilities – CVE-2025-53770 (remote code execution) and CVE‑2025‑53771 (server spoofing) – that allow attackers to gain control of certain on-premises Microsfot SharePoint server installations: SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016.

These vulnerabilities were first exploited , as initially disclosed by a security researcher. Subsequently, on July 19, that the vulnerabilities were being actively exploited as zero-days in targeted attacks with some of the exploitation activity attributed to Chinese threat actors, such as Linen Typhoon and Violet Typhoon. These attacks have been used to deploy web shells, steal credentials and establish persistence in compromised environments.

In the last week, we have been observing opportunistic exploitation attempts on Forescout’s Adversary Engagement Environment (AEE). Here, we detail these exploits and provide mitigation recommendations.

 

Exploit Analysis

We have observed a massive number of ToolShell exploit attempts on the AEE since July 22 originating from the multiple IP addresses reported in the Indicators of Compromise (IOC) section below.

The attacks start with a POST request to /layouts/1/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx manipulating the Referrer header to /layouts/SignOut.aspx as shown in the figure below. This tricks the system into trusting the request and its contents, enabling the attacker to execute arbitrary code on the compromised server.

These requests abuse ToolPane.aspx to inject malicious web parts using parameters including:

• MSOTlPn_Uri, which points to a user control or ASCX file to load
• MSOTlPn_DWP, which is used to inject a malicious web part that includes a vulnerable “Scorecard:ExcelDataSet” control with a compressed deserialization payload, shown in the figure below. When processed, the payload leads to remote code execution without any user interaction. This parameter is the primary vector for delivering the attack payload.

The decoded ViewState payloads in this attack reference various internal system objects and the executed PowerShell commands on the SharePoint server. One common tactic is using a PowerShell script to decode a base64-encoded string embedded in the payload and then write the decoded data as a file named spinstall0.aspx inside SharePoint’s LAYOUTS directory.

The file spinstall0.aspx acts as a web shell, allowing an attacker to remotely execute commands on the server through the SharePoint web interface.

Finally, spinstall0.aspx can extract sensitive cryptographic configuration values from the server’s MachineKeySection, including the ValidationKey, DecryptionKey, and related settings. By loading the internal System.Web assembly and invoking a non-public method (GetApplicationConfig), the script bypasses normal access controls to retrieve these values. It then writes them directly to the HTTP response, exposing critical security parameters that ASP.NET relies on to protect authentication tokens, view state, and encrypted data.

Beyond the initially identified spinstall0.aspx, we have observed naming variations indicative of automated or scripted deployment, such as pinstall.aspx, spinstall1.aspx, spinstallb.aspx and spinstallp.aspx.

We also identified the presence of a JavaScript file /layouts/15/debug_dev.js that contains sensitive configuration data, including values from the web.config file, such as the MachineKey,which holds the cryptographic keys used for ViewState validation and forms authentication. Exposure of this data significantly increases the risk of further exploitation, including ViewState forgery and session hijacking.

 

Mitigation Recommendations: How Forescout Can Help

To protect your SharePoint environment, follow these security best practices:

• Apply Security Updates. Microsoft has released dedicated patches to remediate this vulnerability. Immediately install these updates on all affected systems. Delaying patching increases risk of exploitation.
• Monitor for Suspicious Activity. Closely observe SharePoint logs and system activity for signs of compromise, such as unauthorized file access, privilege escalation, or abnormal network traffic.
• Restrict Network Access. Limit SharePoint server exposure by implementing network segmentation and firewall rules. Only allow trusted users and devices to access SharePoint services.
• Enforce Least Privilege. Regularly audit permissions and service accounts. Ensure users and applications have only the minimum access necessary for their roles.
• Back Up Data. Maintain regular, secure backups of SharePoint content and configurations to facilitate recovery in the event of an attack.

Stay informed of further developments by reading the official Microsoft Security Response Center advisory and applying its recommendations.

Forescout has added the following rules to eyeAlert to detect exploitation of ToolShell:

• CY-IR-1853: Emerging Threats: SharePoint Vulnerability Exploitation Attempt Detected (CVE-2025-53770)
• CY-IR-1854: Emerging Threats: Potential SharePoint ToolShell Exploitation Detected (CVE-2025-53770)

Detection capabilities have also been added to eyeInspect on the latest release of the Threat Detection Add-ons script.

 

IOCs

The following IP addresses have been observed attempting to exploit ToolShell:

• 104[.]236[.]79[.]245
• 107[.]170[.]36[.]221
• 138[.]197[.]173[.]50
• 139[.]162[.]146[.]6
• 139[.]162[.]152[.]16
• 139[.]162[.]173[.]241
• 144[.]172[.]100[.]64
• 144[.]91[.]96[.]233
• 154[.]38[.]168[.]192
• 154[.]38[.]171[.]222
• 158[.]220[.]106[.]239
• 158[.]220[.]107[.]208
• 158[.]220[.]110[.]29
• 159[.]89[.]163[.]149
• 161[.]35[.]162[.]232
• 161[.]35[.]215[.]228
• 162[.]243[.]108[.]202
• 162[.]243[.]202[.]165
• 162[.]243[.]204[.]189
• 162[.]243[.]216[.]156
• 162[.]243[.]225[.]48
• 162[.]243[.]241[.]45
• 162[.]243[.]86[.]138
• 163[.]172[.]145[.]125
• 163[.]172[.]146[.]243
• 163[.]172[.]158[.]5
• 163[.]172[.]167[.]69
• 163[.]172[.]170[.]56
• 164[.]68[.]123[.]189
• 165[.]227[.]33[.]111
• 165[.]232[.]77[.]140
• 170[.]64[.]187[.]156
• 172[.]104[.]156[.]100
• 172[.]104[.]156[.]4
• 172[.]104[.]234[.]10
• 172[.]104[.]247[.]139
• 172[.]105[.]80[.]110
• 174[.]138[.]85[.]206
• 184[.]105[.]139[.]68
• 184[.]105[.]247[.]194
• 185[.]209[.]228[.]130
• 185[.]216[.]75[.]220
• 194[.]163[.]186[.]28
• 198[.]143[.]33[.]11
• 198[.]143[.]33[.]33
• 198[.]143[.]33[.]4
• 198[.]143[.]33[.]40
• 198[.]143[.]33[.]42
• 198[.]143[.]33[.]44
• 206[.]189[.]88[.]67
• 212[.]28[.]183[.]86
• 212[.]47[.]230[.]32
• 212[.]47[.]251[.]191
• 213[.]199[.]62[.]175
• 31[.]220[.]72[.]18
• 31[.]220[.]73[.]202
• 31[.]220[.]76[.]142
• 31[.]220[.]76[.]50
• 31[.]220[.]87[.]188
• 45[.]67[.]216[.]167
• 45[.]8[.]149[.]75
• 45[.]8[.]149[.]76
• 45[.]8[.]149[.]80
• 46[.]101[.]76[.]8
• 51[.]15[.]129[.]150
• 51[.]15[.]193[.]80
• 51[.]15[.]193[.]99
• 51[.]15[.]195[.]96
• 51[.]15[.]196[.]176
• 51[.]15[.]202[.]9
• 51[.]15[.]213[.]179
• 51[.]15[.]222[.]233
• 51[.]15[.]225[.]190
• 51[.]15[.]228[.]137
• 51[.]15[.]230[.]111
• 51[.]15[.]238[.]54
• 51[.]15[.]239[.]123
• 51[.]15[.]243[.]253
• 51[.]15[.]255[.]117
• 51[.]158[.]121[.]174
• 51[.]158[.]126[.]255
• 51[.]158[.]68[.]225
• 62[.]171[.]187[.]14
• 64[.]227[.]157[.]165
• 64[.]62[.]156[.]172
• 64[.]62[.]156[.]212
• 64[.]62[.]156[.]24
• 64[.]62[.]156[.]52
• 64[.]62[.]156[.]66
• 64[.]62[.]156[.]80
• 64[.]62[.]197[.]107
• 64[.]62[.]197[.]17
• 65[.]49[.]1[.]202
• 65[.]49[.]1[.]222
• 65[.]49[.]1[.]232
• 65[.]49[.]1[.]24
• 65[.]49[.]20[.]67
• 68[.]183[.]43[.]128
• 74[.]82[.]47[.]5
• 85[.]239[.]245[.]217
• 89[.]117[.]144[.]57
• 89[.]117[.]18[.]228
• 94[.]72[.]102[.]203
• 94[.]72[.]102[.]225
• 94[.]72[.]102[.]253
• 95[.]111[.]237[.]209
• 95[.]111[.]241[.]126