Home » Protect SharePoint Servers from ToolShell Exploit Now

Protect SharePoint Servers from ToolShell Exploit Now

August 06, 2025 • César Daniel Barreto

Image credit: Photo by Rebecca Wang / CC BY 4.0

CISA released a detailed malware analysis on SharePoint vulnerabilities being actively exploited. The “ToolShell” exploit chains CVE-2025-49704 with CVE-2025-49706 to compromise SharePoint servers, deploying web shells and .NET DLLs that steal cryptographic keys.

The malware deploys Base64-encoded DLLs that extract ASP.NET machineKey values and inject them into HTTP response headers—compromising the server’s cryptography and enabling PowerShell command execution for data theft. CISA analyzed these DLLs, including a key stealer and three ASPX web shells, providing IOCs and SIGMA detection rules for security monitoring.

Viettel disclosed these vulnerabilities at Pwn2Own Berlin, and Microsoft patched them in July’s Patch Tuesday. But attackers exploited unpatched systems first. CISA marked three CVEs as Known Exploited between July 20-22, confirming active exploitation in the wild.

Run the IOCs against your SharePoint servers immediately and deploy the SIGMA rules. The detection content includes STIX2 JSON for IOCs and three YAML files for SIGMA rules. Even with Microsoft’s patches available, assume some systems remain vulnerable or already compromised—attackers had weeks to exploit this before patches were released.

author avatar

César Daniel Barreto

César Daniel Barreto is an esteemed cybersecurity writer and expert, known for his in-depth knowledge and ability to simplify complex cyber security topics. With extensive experience in network security and data protection, he regularly contributes insightful articles and analysis on the latest cybersecurity trends, educating both professionals and the public.

Featured Posts

  1. Should You Really Put Cameras Around Your Home—and What Risks Are You Inviting if You Do?
  2. The Importance of Cybersecurity in Online Gaming Platforms
  3. Malware 101: What is Malware, How to Prevent Attacks, and How to Remove Malware from Your Computer
  4. Outlook Data File Corruption: Causes, Prevention, and Recovery
  5. The Ultimate Guide to Network Pentesting
  6. The TikTok Dilemma: Balancing Entertainment 
  7. Critical Cyber Alert: Foreign Threat Actor Targets Organizations with Malicious RDP Attachments
  8. What’s a Possible Sign of Malware? Identifying Common Indicators What is a possible indication of malware?
  9. Best DNS Servers for Gaming
  10. WordPress Security: Top Tips to Protect Your Website
  11. Top Cybersecurity Threats for Tech Companies in 2025
  12. Cryptojacking: Detection & Prevention Tips

Stay on top of the latest cyber & technology trends.

©2025 securitybriefing - All rights reserved.