FortiGuard Labs has identified an active threat campaign dubbed “ToolShell” targeting on-premises Microsoft SharePoint servers across enterprise environments.
The sophisticated attack chain combines two previously patched vulnerabilities with two fresh zero-day exploits to achieve remote code execution on SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
CISA has already added these critical vulnerabilities to its Known Exploited Vulnerabilities catalog, indicating widespread exploitation attempts against organizational infrastructure.
Advanced Exploit Chain Leverages
The ToolShell campaign represents a significant escalation in SharePoint-targeted attacks, combining CVE-2025-49704 and CVE-2025-49706 with two newly discovered zero-day variants, CVE-2025-53770 and CVE-2025-53771.
Threat actors initiate attacks through the “spinstall0.aspx” exploitation vector, utilizing simple CURL commands such as curl -X POST "http://target/spinstall0.aspx" -d "cmd=ipconfig" and PowerShell scripts to upload system information to remote command-and-control servers.
The initial reconnaissance phase involves probing commands that extract network configuration data using ipconfig system enumeration through PowerShell’s Get-WmiObject cmdlets.
This multi-stage approach allows attackers to map target environments before deploying more sophisticated payloads, demonstrating the methodical nature of these threat actors.
Malware Components Deploy Advanced Evasion Techniques
The campaign deploys two primary malware components: GhostWebShell and KeySiphon, each engineered for specific post-exploitation objectives.
GhostWebShell operates as a fileless ASP.NET web shell that embeds Base64-encoded pages and exposes a “?cmd=” parameter for arbitrary command execution.
The malware dynamically spawns cmd.exe /c <command> processes while capturing both STDOUT and STDERR outputs, wrapping results in <pre> tags for HTTP transmission.
KeySiphon focuses on credential harvesting and system reconnaissance, utilizing
System.Environment APIs to fingerprint target systems, including CPU core counts, system uptime, and operating system versions.
The malware’s most dangerous capability involves invoking the private MachineKeySection.GetApplicationConfig() method to extract validation and decryption keys, enabling authentication token forgery and ViewState manipulation.
Both components employ advanced evasion techniques, including BuildManager flag manipulation through reflection and custom VirtualPathProvider registration to bypass precompilation checks.
Enterprise Defense Strategies and Available Protections
Organizations must implement immediate patching protocols alongside layered security controls to mitigate this ongoing threat.
FortiGuard Labs has released an IPS signature MS.SharePoint.ToolShell.Remote.Code.Execution and antivirus detections, including MSIL/Agent.NEM!tr, MSIL/Agent.EME!tr, and HTML/Webshell.231A!tr.
Network administrators should deploy FortiGate, FortiMail, FortiClient, and FortiEDR solutions with updated threat intelligence feeds.
Critical indicators of compromise include suspicious IP addresses such as 157.245.126.186, 159.203.88.182, and 146.190.224.250, along with malicious file hashes including 10e01ce96889c7b4366cfa1e7d99759e4e2b6e5dfe378087d9e836b7278abfb6.
Security teams should implement rigorous log monitoring for unusual SharePoint access patterns and suspiciou activitys /_layouts/15/ directory requests, particularly those targeting dynamically generated ASPX files with random numerical suffixes.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The sophisticated attack chain combines two previously patched vulnerabilities with two fresh zero-day exploits to achieve remote code execution){kind=link}