ToolShell and the SharePoint Crisis: What You Need to Know and Why Exelegent Clients Are Already Safe

On July 22, 2025, both Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) issued coordinated alerts confirming the active exploitation of two critical vulnerabilities in on-premises SharePoint environments:

• CVE-2025-49704: A remote code execution (RCE) vulnerability
• CVE-2025-49706: A network spoofing vulnerability

These vulnerabilities form what is now publicly referred to as the ToolShell exploit chain, a potent attack vector that grants attackers unauthenticated access to SharePoint servers, followed by remote code execution capabilities, allowing complete compromise of affected systems.

As CEO of Exelegent, I want to explain what this threat is, why it matters, and how we’ve proactively secured every one of our clients — before this became a headline.

1. The Threat: What is ToolShell?

ToolShell is the name given to an exploit chain discovered in July 2025 targeting on-premise Microsoft SharePoint servers. This chain leverages the combination of a spoofing vulnerability (CVE-2025-49706) and an RCE vulnerability (CVE-2025-49704), allowing an attacker to bypass authentication mechanisms and execute arbitrary code on SharePoint servers from anywhere on the internet.

To make matters worse, Microsoft also identified patch bypasses:

• CVE-2025-53770 (bypassing the RCE patch)
• CVE-2025-53771 (bypassing the spoofing patch)

This means that simply applying old patches isn't enough. Organizations must deploy the latest July 2025 updates — and take several additional steps to fully mitigate risk.

2. The Attackers Behind It

According to Microsoft’s official blog, the following nation-state threat actors have been observed actively exploiting ToolShell:

• Linen Typhoon: Known for espionage campaigns targeting government, defense, and human rights sectors.
• Violet Typhoon: Active since 2015, often targeting NGOs, education, financial services, and healthcare.
• Storm-2603: A more recent China-based threat actor, previously associated with ransomware deployment (Warlock and Lockbit families).

The ToolShell campaign is not isolated — it's a coordinated exploitation of known vulnerabilities, combined with stealthy techniques like web shell persistence, PowerShell-based data exfiltration, and machine key theft.

3. What Happens When You’re Compromised

If your environment is unpatched and exposed to the internet, attackers can:

• Send a malicious POST request to /ToolPane.aspx
• Upload a script like spinstall0.aspx to your server
• Steal ASP.NET MachineKeys (used for authentication and encryption)
• Deploy a web shell to maintain persistent access
• Use encoded PowerShell commands to move laterally or download additional payloads

Most organizations won’t detect this immediately. There’s often no alert, no downtime, and no suspicious login — until data is stolen or ransomware is deployed weeks later.

4. Who’s at Risk?

If any of the following apply to your organization, you're at risk:

• You are using SharePoint 2013 or earlier (end-of-life and unsupported)
• You’re running SharePoint 2016, 2019, or Subscription Edition, but haven’t applied the July 2025 security updates
• You haven’t rotated your ASP.NET MachineKeys after patching
• AMSI is not enabled and running in Full Mode
• Microsoft Defender Antivirus is not actively deployed on SharePoint servers
• You lack real-time monitoring for POST traffic or abnormal web shell behavior

The ToolShell exploit is active. It’s targeted. And it’s dangerous — not just for SharePoint content, but for your entire domain if compromised credentials or lateral movement occurs.

5. What Microsoft Recommends

Here’s the official Microsoft mitigation checklist:

Use only supported SharePoint versions (2016, 2019, Subscription Edition)

Apply July 2025 patches, including:

• KB5002768 (Subscription Edition)
• KB5002754/2753 (SharePoint 2019)
• KB5002760/2759 (SharePoint 2016)

Enable and configure AMSI (Antimalware Scan Interface)

• Enable Full Mode
• Deploy Microsoft Defender Antivirus

Rotate ASP.NET MachineKeys

• Use PowerShell (Set-SPMachineKey) or Central Admin

Restart IIS

• Use iisreset.exe after key rotation

Monitor for known IOCs:

• File names: spinstall0.aspx, debug_dev.js
• IPs: 104.238.159.149, 131.226.2.6, 134.199.202.205, 188.130.206.168

Use Microsoft Sentinel, Defender XDR, or EASM

• Enable hunting queries
• Deploy ASIM parsers for IOC mapping
• Map CVEs in the vulnerability dashboard

6. What Exelegent Did — Immediately

At Exelegent, we treat these vulnerabilities not as a “patching task,” but as a strategic security event.

Within 24 hours of Microsoft’s advisory, our teams:

• ✅ Audited every client environment for SharePoint version and exposure
• ✅ Applied the latest updates for all supported versions
• ✅ Rotated MachineKeys and restarted IIS
• ✅ Enabled AMSI in Full Mode with Defender AV
• ✅ Deployed advanced hunting queries in Microsoft Sentinel
• ✅ Created custom alert rules for POST traffic to ToolPane.aspx
• ✅ Cross-referenced IOC lists across Defender, XDR, and Firewall logs
• ✅ Provided full incident reports and audit summaries to clients

7. TrustElements™: Real-Time Microsoft Security Posture Monitoring

This rapid response is only possible because of TrustElements™ — our proprietary framework for Microsoft account auditing, compliance verification, and exposure tracking.

TrustElements continuously monitors:

• SharePoint and Exchange version compliance
• Microsoft Defender AV and Endpoint coverage
• AMSI configuration and telemetry
• MachineKey rotation status
• Real-time CVE exposure for all Microsoft workloads
• Shadow IT risks (including unlicensed or rogue deployments)

What sets TrustElements apart?

• 🔄 Live data sync with Microsoft APIs
• 🧠 Integration with Security Copilot for incident triage
• 📊 Auto-generated compliance dashboards and reports
• 🔔 Custom alert rules for high-risk CVEs like ToolShell
• 👥 M365 licensing governance across departments

Thanks to TrustElements, all Exelegent clients were patched, rotated, and secured before attackers could exploit a single vector.

8. What You Can Do Right Now

If you're unsure about your SharePoint or Microsoft 365 security posture, take action immediately.

We’re offering:

Free SharePoint Vulnerability Risk Check

• CVE status review (49704, 49706, 53770, 53771)
• MachineKey rotation audit
• AMSI/Defender validation

TrustElements Exposure Audit

• Microsoft 365 + Azure compliance review
• CVE mapping and patching gaps
• Endpoint protection and Sentinel readiness

Optional Migration Strategy

• Assessment of feasibility to move from on-prem SharePoint to Microsoft 365
• Planning for licensing optimization, records retention, and content security

9. Closing Thoughts

The ToolShell exploit isn’t just a SharePoint issue — it’s a reminder that legacy systems, incomplete patching, and lack of continuous monitoring are major liabilities.

At Exelegent, we don’t just “manage IT.” We defend, monitor, and lead.

We don’t wait for zero-days to go viral — we act before attackers do.

And thanks to TrustElements, our clients don’t just get notifications. They get action.

If you’re unsure where your organization stands, let’s talk.

Cybersecurity isn’t a ticket system. It’s a posture. Let us help you elevate yours.

Contact Us:36 W Main Street, Suite 300 Freehold, NJ 07728

Exelegent.com

Email:sales@exelegent.com

Phone:973-732-5230