A global campaign targeting on-premise Microsoft SharePoint servers has exposed a critical chain of vulnerabilities, collectively codenamed “ToolShell,” which are being leveraged in active attacks to gain full, unauthenticated access to enterprise systems worldwide.
Multiple security vendors, alongside national Computer Emergency Response Teams (CERTs), have sounded the alarm after detecting sophisticated exploit activity that abuses an attack sequence combining CVE-2025-49704 and CVE-2025-49706.
The exploitation allows hostile actors to bypass authentication seamlessly, execute arbitrary code, and effectively seize control of SharePoint servers.
Zero-Day Tactics
The surge in attacks began affecting diverse sectors including government, finance, manufacturing, forestry, and agriculture in countries such as Egypt, Jordan, Russia, Vietnam, and Zambia.
Security telemetry from Kaspersky confirmed that their products proactively detected and thwarted ToolShell-linked exploits, emphasizing the global scope and cross-industry risk.
The attack itself relies on a crafted POST request targeting the “ToolPane.aspx” endpoint in SharePoint, exploiting improper handling of the parameters “MSOtlPn_Uri” and “MSOtlPn_DWP.”
Crucially, the attackers bypass authentication by leveraging [CVE-2025-49706], a flaw in the PostAuthenticateRequestHandler method of Microsoft.SharePoint.dll that erroneously authorizes requests with a manipulated “Referrer” HTTP header.
Despite Microsoft releasing a patch to address this logic error, researchers demonstrated that the fix could be circumvented with a single character change adding a trailing slash to the endpoint thereby necessitating a subsequent emergency patch (CVE-2025-53771).
This second update restricted accepted paths via an explicit allowlist, further hardening the endpoint authentication mechanism.
Complex Vulnerability Chain Revealed
In parallel, attackers exploited CVE-2025-49704, a deserialization vulnerability rooted in unsafe XML handling of the “MSOtlPn_DWP” parameter.
The flaw allows instantiation of unsafe objects specifically abusing the ExcelDataSet control in Microsoft.PerformancePoint.Scorecards.Client.dll using malicious base64-encoded payloads and the infamous ExpandedWrapper attack technique in .NET.
Although Microsoft issued a mitigation in July, it merely flagged the vulnerable control as unsafe in web.config. Critically, this mitigation required SharePoint administrators to manually execute a configuration upgrade, a step omitted by many, prolonging exposure to compromise.
A comprehensive fix, published as CVE-2025-53770, introduced robust XML type validation via an upgraded XmlValidator, closing the loopholes and mitigating a technique previously seen in the 2020 .NET remote code execution bug CVE-2020-1147.
The ToolShell episode demonstrates a recurring theme in corporate cybersecurity: even after patches are released, incomplete deployment, lack of awareness around post-patch configuration steps, or minor implementation oversights can keep critical infrastructure vulnerable for weeks or months.
Like historic threats such as ProxyLogon, PrintNightmare, and EternalBlue, the ease of exploitation and public availability of ToolShell attack code are expected to fuel persistent exploitation well beyond the initial disclosure.
Security experts urgently recommend immediate deployment of all relevant SharePoint updates, continuous monitoring for exploit activity, and the use of advanced endpoint protections.
Without prompt and comprehensive action, ToolShell now a historic case study in the lifecycle of enterprise threats will remain a potent risk to organizations globally.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
