EXCLUSIVE: 'ToolShell' Zero-Day Exposes Critical Infrastructure Worldwide — SharePoint Vulnerability Creates Persistent Backdoors Even After Patching

A sophisticated zero-day vulnerability in Microsoft SharePoint Server has compromised at least 50 organizations globally, including U.S. government agencies, universities, energy companies, and financial institutions. The attack, dubbed 'ToolShell,' allows hackers to gain complete control of affected systems and—most alarmingly—steal cryptographic keys that enable persistent access even after security patches are applied.

This investigation reveals how the vulnerability chain, tracked as CVE-2025-53770 and CVE-2025-53771, creates an unprecedented level of risk for organizations running on-premises SharePoint servers. Security researchers warn that hundreds of thousands of internet-exposed SharePoint instances could be vulnerable, with attacks first detected in mid-July 2025.

"This isn't just another vulnerability—it's a persistent compromise mechanism," said a senior security researcher who requested anonymity due to the sensitivity of ongoing investigations. "Even after patching, attackers who have already exploited the flaw can retain access through stolen authentication tokens."

The Anatomy of a Critical Exploit

The primary vulnerability (CVE-2025-53770) enables unauthenticated remote code execution through insecure deserialization in SharePoint's __VIEWSTATE mechanism. When combined with an authentication bypass vulnerability (CVE-2025-53771), attackers can execute arbitrary code with system-level privileges, completely circumventing security controls including multi-factor authentication.

The attack chain, first publicly disclosed at a Berlin hacking conference, specifically targets SharePoint's /_layouts/ directory through specially crafted POST requests. Attackers leverage these vulnerabilities to inject malicious PowerShell commands that establish persistence and exfiltrate sensitive data.

What distinguishes this attack from typical vulnerabilities is its ability to steal ASP.Net secret machine keys, which are used to validate authentication tokens. With these keys, attackers can forge valid authentication tokens for SharePoint and potentially other connected Microsoft services like Teams, Outlook, and OneDrive.

"The key theft capability is what makes this attack particularly devastating," according to documentation from Eye Security, one of the first firms to detect the widespread exploitation. "Even after applying patches, organizations remain vulnerable if attackers have already stolen these cryptographic keys."

Global Impact and Targeted Sectors

The scope of the ToolShell campaign is extensive, with confirmed victims across multiple critical sectors. According to multiple security firms tracking the incident, between 50 and 150 organizations have been confirmed as compromised, though the actual number is likely much higher.

Affected organizations include:

• U.S. federal government agencies
• Educational institutions, including major universities
• Energy sector companies
• Telecommunications providers
• Financial institutions

In the United States alone, more than 3,000 potentially vulnerable SharePoint instances have been identified, according to a report from NextGov.

The attack specifically targets on-premises SharePoint deployments, not cloud-based Microsoft 365 services. Vulnerable versions include SharePoint Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. Microsoft has indicated that some older versions will not receive patches and must be isolated immediately.

"Organizations running legacy SharePoint versions face a particularly difficult situation," noted a SOCRadar analysis document. "Without available patches, complete isolation may be the only secure option."

Attack Timeline and Detection

The first wave of attacks was detected around July 18-19, 2025, though security researchers believe initial exploitation may have begun earlier. Eye Security was among the first to identify the mass exploitation campaign, which quickly triggered alerts across the cybersecurity community.

The attacks appear to be occurring in waves, suggesting multiple threat actors may be exploiting the vulnerability. Initial exploitation focused on reconnaissance and establishing backdoors, followed by more targeted data exfiltration and credential theft.

A typical attack sequence involves:

1. Initial access through the SharePoint vulnerability using specially crafted POST requests to /_layouts/ endpoints
2. Execution of PowerShell commands to establish persistence
3. Deployment of a file commonly named spinstall.aspx to facilitate exfiltration of cryptographic keys
4. Theft of ASP.Net machine keys and other credentials
5. Creation of forged authentication tokens for persistent access

"The attackers are demonstrating sophisticated tactics," according to Rapid7's analysis. "They're not just exploiting the initial vulnerability but are establishing multiple persistence mechanisms to maintain access even after remediation efforts."

Technical Details of the Exploit Chain

The ToolShell attack combines two critical vulnerabilities to achieve its devastating impact:

CVE-2025-53770: This vulnerability allows unauthenticated remote code execution through insecure deserialization of untrusted data. The flaw specifically affects SharePoint's handling of __VIEWSTATE parameters, enabling attackers to inject and execute malicious code.

CVE-2025-53771: This related vulnerability enables authentication bypass, allowing attackers to circumvent security controls including multi-factor authentication.

Together, these vulnerabilities create what security researchers call a "full RCE chain" — complete remote code execution capabilities without requiring any user credentials.

The attack typically begins with specially crafted requests to SharePoint's /_layouts/ directory, particularly targeting endpoints like /toolbox/toolpages or /_layouts/signout.aspx. By manipulating request headers and parameters, attackers can trigger the deserialization vulnerability and execute arbitrary PowerShell commands.

One of the primary payloads observed in these attacks is a web shell named spinstall.aspx, which provides persistent access to the compromised server. This file is used to extract configuration data, including the critical ASP.Net machine keys that validate authentication tokens.

"The attackers are specifically targeting the cryptographic keys that underpin SharePoint's authentication mechanisms," according to DarkAtlas security researchers. "With these keys, they can forge valid authentication tokens that will continue to work even after the vulnerability itself is patched."

Attribution and Threat Actors

While definitive attribution remains challenging, security researchers have observed techniques consistent with both nation-state actors and sophisticated criminal groups.

Some security firms have noted similarities to previous campaigns attributed to Chinese state-sponsored threat actors, particularly those associated with groups like Silk Typhoon. Others have identified tactics consistent with criminal organizations such as Storm-0506 and DarkRead.

"The sophistication of these attacks suggests well-resourced actors with significant capabilities," according to one security analysis. "The targeting of government agencies and critical infrastructure points to potential nation-state involvement, though multiple actors appear to be exploiting the vulnerability."

The widespread nature of the attacks and the variety of tactics observed suggest that multiple threat actors may be exploiting the same vulnerability chain, complicating attribution efforts.

Microsoft's Response and Remediation

Microsoft began releasing emergency updates on July 19, 2025, with initial patches focusing on SharePoint Subscription Edition and SharePoint Server 2019. The company continues to work on patches for SharePoint 2016.

In its security advisory, Microsoft emphasized the critical nature of the vulnerability and recommended immediate patching. For organizations unable to immediately apply patches, Microsoft recommended disconnecting internet-exposed SharePoint instances until updates could be applied.

"This vulnerability represents a significant security risk," Microsoft stated in its advisory. "Organizations should prioritize applying these updates immediately and implement additional security measures to detect potential compromise."

However, security researchers have emphasized that patching alone may be insufficient for organizations that have already been compromised. Because the attack allows theft of cryptographic keys, attackers can maintain access even after the vulnerability is patched.

Microsoft has recommended additional steps for potentially compromised systems, including:

• Rotating all cryptographic keys and secrets
• Conducting thorough forensic analysis to detect indicators of compromise
• Implementing enhanced monitoring for suspicious authentication attempts
• Deploying advanced threat detection tools

Government and Industry Response

The Cybersecurity and Infrastructure Security Agency (CISA) added the SharePoint vulnerabilities to its Known Exploited Vulnerabilities Catalog on July 20, 2025. This addition requires federal civilian agencies to apply patches according to CISA's directive timeline.

"These vulnerabilities pose an unacceptable risk to federal networks," CISA stated in its advisory. "Agencies must take immediate action to mitigate potential impacts."

Industry response has been similarly urgent, with multiple security firms releasing detection tools and mitigation guidance. Eye Security, which was among the first to detect the mass exploitation, has published detailed indicators of compromise to help organizations identify potential breaches.

Several critical infrastructure sectors have established information-sharing initiatives to coordinate response efforts, particularly in the energy and financial sectors where the impact could be most severe.

The Persistent Threat: Beyond Patching

What makes the ToolShell campaign particularly concerning is its ability to establish persistence that survives traditional remediation efforts. By stealing ASP.Net machine keys, attackers can forge valid authentication tokens that will continue to work even after the underlying vulnerability is patched.

"This creates an unprecedented challenge for incident responders," according to security documentation from Eye Security. "Organizations must assume that patching alone is insufficient and must take additional steps to detect and remove persistent access."

These additional steps include:

• Completely regenerating all cryptographic keys and secrets
• Forcing password resets for all accounts
• Implementing enhanced monitoring for suspicious authentication attempts
• Conducting thorough forensic analysis of potentially compromised systems
• Rebuilding critical systems from trusted sources

For organizations with limited security resources, this presents a significant challenge. Many may successfully patch the vulnerability while remaining unaware that attackers have already established persistent access through stolen keys.

Lessons and Long-term Implications

The ToolShell campaign highlights several critical security lessons for organizations running on-premises infrastructure:

The persistence problem: Traditional vulnerability management focuses on patching known flaws. However, sophisticated attacks like ToolShell demonstrate how attackers can establish persistence mechanisms that survive patching. Organizations must develop more comprehensive incident response capabilities that address this reality.

On-premises risks: While cloud services aren't immune to vulnerabilities, the ToolShell campaign specifically targets on-premises SharePoint deployments. This highlights the ongoing security challenges faced by organizations maintaining on-premises infrastructure, particularly as vendor support for older versions diminishes.

Supply chain considerations: The potential for compromised SharePoint instances to provide access to connected services like Teams, OneDrive, and other Microsoft products demonstrates the interconnected nature of modern IT environments. A compromise in one system can have cascading effects across an organization's entire digital ecosystem.

"This incident should serve as a wake-up call for organizations still running on-premises SharePoint," noted one security researcher. "The threat landscape for these deployments is increasingly challenging, and organizations need to evaluate whether the benefits outweigh the security risks."

Ongoing Threat and Future Concerns

As of July 21, 2025, the ToolShell campaign remains active, with new compromises being detected daily. Security researchers expect exploitation attempts to accelerate as more threat actors incorporate the vulnerability into their arsenals.

The situation is particularly concerning for organizations running older SharePoint versions that will not receive patches. These organizations face difficult decisions about whether to accept the risk, implement complex mitigations, or accelerate migration plans to supported platforms.

Beyond the immediate threat, the ToolShell campaign raises questions about the security of authentication mechanisms in widely-used enterprise software. The ability to steal cryptographic keys and forge authentication tokens represents a sophisticated evolution in attack techniques that may become more common in future campaigns.

"We're seeing an evolution in attack sophistication," according to documentation from SOCRadar. "Attackers are no longer just exploiting vulnerabilities for immediate access—they're thinking strategically about how to maintain persistence even after vulnerabilities are patched."

For organizations worldwide, the message is clear: traditional security approaches focused solely on vulnerability patching are increasingly insufficient against sophisticated threat actors. A more comprehensive approach that includes continuous monitoring, threat hunting, and rapid incident response capabilities is essential in today's threat landscape.

As the ToolShell campaign continues to unfold, security researchers, government agencies, and affected organizations are racing to understand the full scope of the compromise and develop effective remediation strategies. The coming weeks will be critical in determining whether this attack represents an isolated incident or the beginning of a new era in persistent cyber threats.