Microsoft SharePoint Server, server-side code injection RCE (ToolShell)

Overview

CVE-2025-49704 is a server-side code injection vulnerability in on-premises Microsoft SharePoint Server that allows an authorized attacker to execute arbitrary code over the network. It is one half of the exploit chain publicly known as ToolShell: combined with CVE-2025-49706, a spoofing vulnerability, it enables unauthenticated remote code execution against internet-facing SharePoint servers. The National Vulnerability Database assigns a CVSS v3.1 base score of 8.8 (high). The vulnerability is actively exploited in the wild and was added to the CISA Known Exploited Vulnerabilities catalog on July 22, 2025, with an emergency remediation deadline of July 23, 2025. Microsoft has attributed exploitation to the China-based threat actors Linen Typhoon and Violet Typhoon, as well as Storm-2603, which deployed Warlock ransomware.

Technical Details

The flaw is classified as CWE-94 (Improper Control of Generation of Code). SharePoint improperly handles attacker-influenced input in a way that results in server-side code being generated and executed, giving an authenticated user the ability to run arbitrary code in the context of the SharePoint application. On its own, the CVSS vector specifies low privileges required (PR:L), reflecting that an authenticated session is needed.

The operational danger comes from chaining. CVE-2025-49706 is a spoofing flaw that lets an unauthenticated attacker bypass authentication, including controls such as MFA and SSO. By first exploiting the spoofing bug and then the code injection bug, attackers achieve unauthenticated remote code execution. Public exploitation targets the endpoint /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx. After gaining execution, attackers commonly drop a web shell named spinstall0.aspx (and variants) into the SharePoint LAYOUTS directory and steal the server's ASP.NET cryptographic machine keys (ValidationKey and DecryptionKey). With those keys, an attacker can forge valid __VIEWSTATE payloads and regain code execution even after patching, which is why key rotation is mandatory. CVE-2025-53770 was later issued as a patch bypass that provides a more comprehensive fix for the same underlying code injection. Microsoft released security updates on July 8, 2025: SharePoint Server Subscription Edition is fixed in KB5002768, SharePoint Server 2019 in KB5002754 (plus language pack KB5002753), and SharePoint Server 2016 in KB5002760 (plus language pack KB5002759). SharePoint Online in Microsoft 365 is not affected.

Impact

• Authenticated attackers can execute arbitrary code on the SharePoint server; chained with CVE-2025-49706, exploitation becomes fully unauthenticated (ToolShell).
• Theft of ASP.NET machine keys enables durable, post-patch persistence by forging valid ViewState payloads, so patching alone is insufficient without key rotation.
• Full server compromise: deployment of web shells, lateral movement across the SharePoint farm, credential and data theft, and in some intrusions deployment of Warlock ransomware.
• High impact to confidentiality, integrity, and availability of the SharePoint farm and the documents and identities it hosts.

Mitigation

1. Apply the July 8, 2025 security updates for your edition: KB5002768 for SharePoint Server Subscription Edition, KB5002754 (and language pack KB5002753) for SharePoint Server 2019, and KB5002760 (and language pack KB5002759) for SharePoint Server 2016; also apply the subsequent CVE-2025-53770 update, which provides the comprehensive fix.
2. Rotate the ASP.NET machine keys on every SharePoint server after patching, using the Set-SPMachineKey cmdlet or the Central Administration Machine Key Rotation timer job, because compromised keys allow persistence even after the code fix.
3. Restart IIS with iisreset.exe on all SharePoint servers so that rotated keys take effect.
4. Enable AMSI (Antimalware Scan Interface) integration in Full Mode and run Microsoft Defender Antivirus on SharePoint servers to block unauthenticated exploitation attempts.
5. For end-of-life versions (SharePoint Server 2013 and earlier) that cannot be patched, disconnect them from the internet or decommission them; per CISA guidance, public-facing EOL/EOS instances must be isolated or removed.

Detection

The highest-fidelity indicators are the documented ToolShell artifacts. Search every SharePoint server's LAYOUTS directories (under \Web Server Extensions\1[5-6]\TEMPLATE\LAYOUTS\) for the web shell spinstall0.aspx and variants; the known spinstall0.aspx payload has SHA-256 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514. Also hunt for suspicious .NET modules dropped as payloads, reported with names such as qlj22mpc and bjcloiyq. Any newly created .aspx file in the LAYOUTS path that was not delivered by a Microsoft update is a strong compromise indicator.

In IIS logs, look for requests to /_layouts/15/ToolPane.aspx carrying the query string DisplayMode=Edit&a=/ToolPane.aspx, especially POST requests, which is the core exploitation pattern. Pay particular attention to requests with a Referer header pointing at /_layouts/SignOut.aspx, a signature reported for the spoofing step of the chain. Successful exploitation may be followed by GET requests to the planted spinstall0.aspx, sometimes returning machine-key material as pipe-delimited strings in the HTTP response body; alert on responses from that path that contain key-like data.

On the host, monitor the SharePoint worker process w3wp.exe for spawning cmd.exe, powershell.exe, or encoded PowerShell commands; web servers should rarely launch interactive shells, so EDR alerts on these parent-child relationships are high value. Correlate with file creation events in the LAYOUTS directory and with any process performing base64-encoded command execution.

Review threat-intelligence IOC lists for the campaign's exploitation source IP addresses (Unit 42 published 16 such IPs, including 96.9.125.147 and 107.191.58.76) and block or alert on traffic from them. Because attackers steal machine keys for persistence, any server that was internet-exposed and unpatched before July 8, 2025 should be treated as compromised even if no web shell is currently present: rotate keys, restart IIS, and conduct a forensic review for forged ViewState activity and lateral movement. Retain IIS and endpoint logs covering at least early July 2025 onward, since exploitation of this chain began around July 7, 2025.