A confirmed SharePoint exploit chain is under active attack β learn how to patch, protect, and respond.
π‘οΈ What Is the SharePoint ToolShell Exploit?
In July 2025, Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of a critical vulnerability chain now known as ToolShell. This chain affects on-premises SharePoint Servers (not Microsoft 365/SharePoint Online).
The vulnerability combination includes:
| CVE | Type | Risk |
|---|---|---|
| CVE-2025-49704 | Remote Code Execution (RCE) | Full unauthenticated execution |
| CVE-2025-49706 | Network Spoofing | Authenticated access bypass |
| CVE-2025-53770 | Patch Bypass for 49704 | Restores vulnerability post-patch |
| CVE-2025-53771 | Patch Bypass for 49706 | Compromises authentication layers |
π Affected Systems:
- SharePoint Server 2016
- SharePoint Server 2019
- SharePoint Server Subscription Edition
- SharePoint 2013 or earlier (no longer supported β must be disconnected)
β οΈ Why It Matters
This exploit chain gives attackers the ability to:
- Execute code remotely (without logging in)
- Install webshells, drop malware, steal data
- Deploy Warlock ransomware and potentially LockBit payloads
- Move laterally across networks
- Exfiltrate SharePoint file systems and sensitive configs
Attackers have been observed:
- Sending crafted POST requests to
/_layouts/15/ToolPane.aspx?DisplayMode=Edit - Using spoofed requests via
/_layouts/SignOut.aspx - Exploiting known IPs (e.g. 107.191.58.76, 104.238.159.149, 96.9.125.147)
This has been confirmed by:
β What to Do Right Now (Step-by-Step)
- Apply Microsoftβs Security Patches (released July 8, 2025)
- KB5002768 (SE), KB5002754 (2019), KB5002760 (2016)
- Rotate ASP.NET Machine Keys
- Do this before and after patching
- Restart IIS
- Use
iisresetto ensure clean restart
- Use
- Enable AMSI (Antimalware Scan Interface)
- Configure via PowerShell and deploy Microsoft Defender Antivirus
- Scan logs for attack signatures
- Review access logs for suspicious ToolPane or SignOut activity
- Audit for compromise
- Look for unknown .aspx, .dll, or .exe files in SharePoint paths
- Block attacker IPs in your firewall
- Especially those active July 18β20, 2025
- Disconnect unsupported servers
- SharePoint 2013 and earlier must be taken offline immediately
π Emergency Response Offer from Technov8
In response to this critical situation, Technov8 is offering support for organizations impacted by ToolShell:
Available Services:
- β Patching + config hardening
- β ASP.NET machine key rotation
- β IIS restart + AMSI/AV setup
- β Basic compromise check
For deeper support, Technov8 also offers:
- Forensic compromise assessment
- Ransomware cleanup
- SharePoint hardening and SIEM integration
- SharePoint Online migration & modernization
π¬ Contact Technov8 for Immediate Help
- π§ Email: support@technov8s.com
- π After-hours emergency response available exclusively for clients with active premium support.
π§ FAQ: SharePoint ToolShell (CVE-2025-49704/49706)
Q: Is SharePoint Online affected?
No. Only on-prem SharePoint servers are impacted.
Q: I already patched β am I safe?
Maybe. The patch bypasses (CVE-2025-53770/53771) mean you must verify patch levels and still rotate keys.
Q: Iβm using SharePoint 2013 β should I worry?
Yes. Itβs unsupported and vulnerable. Disconnect it now.
Q: What if I find signs of compromise?
Contact us immediately. Do not delay incident response.