SharePoint Under Fire: How ToolShell Breaks Microsoft Most Trusted Platform in 72 Hours

A coordinated cyber campaign has breached Microsoft SharePoint servers worldwide, using a vulnerability chain called “ToolShell” that grants attackers complete system control without requiring any user credentials. The exploitation provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations.

Eye Security, a Dutch cybersecurity firm, documented the worldwide exploitation starting July 18, 2025, marking what researchers call one of the fastest transitions from proof-of-concept to mass exploitation on record.

The Speed of Digital Destruction

The attack builds on two vulnerabilities—CVE-2025-49706 and CVE-2025-49704—that CODE WHITE GmbH demonstrated at Pwn2Own Berlin 2025 in May. Microsoft patched both flaws in July, but attackers found ways around the fixes within days.

Threat actors subsequently developed exploits that bypass these patches, leading to two new CVE identifiers: CVE-2025-53770 (CVSS 9.8) and CVE-2025-53771 (CVSS 6.3). These bypasses target the same fundamental weaknesses but sidestep Microsoft’s security improvements.

The timeline reveals the attack’s precision: CODE WHITE published detailed research on July 15, 2025. By July 18—just 72 hours later—attackers had built working exploits and begun systematic strikes against SharePoint installations.

Eye Security tracked the first wave starting at 6:00 PM Central European Time from IP address 107.191.58.76. A second coordinated assault emerged from 104.238.159.149 on July 19 at 7:28 AM CET, indicating a well-orchestrated international campaign.

Digital Skeleton Keys: How ToolShell Works

ToolShell attacks the /layouts/15/ToolPane.aspx endpoint, a SharePoint component that handles administrative panels. Unlike typical web shells that simply run commands, this exploit specifically hunts for cryptographic keys embedded in SharePoint’s configuration.

The attack extracts two critical pieces: ValidationKey and DecryptionKey materials. Think of these as SharePoint’s digital skeleton keys—once stolen, they allow attackers to create perfectly legitimate-looking requests that SharePoint automatically trusts.

“The attacker transforms SharePoint’s inherent trust in its configuration into a powerful weapon,” Eye Security researchers explained in their analysis. Once the ValidationKey is extracted from memory or configuration, attackers can craft fully valid, signed __VIEWSTATE payloads using tools like ysoserial.

This technique mirrors CVE-2021-28474, exploiting SharePoint’s deserialization processes. By possessing the server’s ValidationKey, attackers digitally sign malicious payloads that SharePoint accepts as legitimate input, bypassing all security checks.

The Human Cost

Eye Security’s scan of over 1,000 SharePoint servers worldwide revealed dozens of actively compromised systems across multiple organizations. The company immediately contacted affected organizations and national Computer Emergency Response Teams (CERTs) across Europe and internationally.

Sophos MDR has contacted all known victims, but with these vulnerabilities under active exploitation, the race continues between attackers expanding their reach and organizations applying available protections.

The attack’s sophistication lies not in complex code but in understanding SharePoint’s trust relationships. By stealing the cryptographic foundations of that trust, attackers essentially become SharePoint itself—every malicious action appears legitimate to the system’s built-in defenses.

Expert Analysis: The New Reality of Trust-Based Attacks

This campaign represents a fundamental shift in how attackers approach enterprise software. Rather than breaking through defenses, ToolShell steals the credentials those defenses use to identify legitimate activity. It’s not picking a lock—it’s copying the master key.

The 72-hour exploitation window demonstrates how rapidly security research transitions to active threats in today’s landscape. What once took months or years now happens in days, compressed by automated exploit development and global coordination among threat actors.

For organizations running SharePoint, this incident reveals a harsh reality: patching is no longer enough when attackers can bypass fixes faster than most companies can deploy them. Defense requires fundamental architectural changes that assume compromise, not just prevention.