The ToolShell exploit chain is a sophisticated attack targeting on-premises Microsoft SharePoint Server versions 2016, 2019, and Subscription editions by leveraging two critical vulnerabilities: CVE-2025-53770 (deserialization vulnerability) and CVE-2025-53771 (authentication bypass). These vulnerabilities allow threat actors to bypass authentication controls and execute arbitrary code by sending specially crafted HTTP POST requests to SharePoint's ToolPane.aspx endpoint. Initially, attackers attempted to upload web shells to the server's file system, but these were easily detected by Endpoint Detection and Response (EDR) solutions. To evade detection, attackers evolved their tactics to deploy in-memory payloads, which execute directly in the server's memory without writing to disk, significantly complicating detection and forensic analysis. The in-memory payloads include malicious .NET Dynamic-link Libraries (DLLs) such as osvmhdfl.dll and jlaneafi.dll, as well as encoded PowerShell commands designed to extract machine keys and system information, which are then exfiltrated via HTTP responses or outbound connections on non-standard ports (e.g., port 40443). Detection and hunting for these payloads require network-level analysis using tools like Zeek Network Security Monitor to identify suspicious HTTP POST requests with specific URL patterns and Referer headers, DaemonLogger to capture relevant PCAP files, and Wireshark for deep packet inspection. The payloads are embedded within HTTP parameters (e.g., MSOtlPn_DWP) as compressed and base64-encoded data structures, necessitating multi-step decoding involving URL decoding, base64 decoding, and decompression to reveal the malicious payload. Additional payloads discovered include security scanner probes and PowerShell commands, indicating active reconnaissance and exploitation attempts. While no widespread exploitation has been observed yet, the presence of these advanced in-memory payloads indicates a significant escalation in attacker sophistication and potential risk to vulnerable SharePoint environments.

European organizations running on-premises Microsoft SharePoint Server 2016, 2019, or Subscription editions are at risk of unauthorized code execution, data exfiltration, and potential compromise of sensitive information if vulnerable to the ToolShell exploit chain. The in-memory execution of payloads bypasses traditional endpoint detection mechanisms, increasing the likelihood of prolonged undetected intrusions. Confidentiality is at high risk due to the extraction of machine keys and system information, which could facilitate further lateral movement or privilege escalation within corporate networks. Integrity may be compromised if attackers manipulate SharePoint content or configurations. Availability impact is medium, as exploitation could disrupt SharePoint services or lead to denial of service through malicious payload execution. The stealthy nature of in-memory payloads complicates incident response and forensic investigations, potentially delaying detection and remediation. Given SharePoint's widespread use in European enterprises for collaboration and document management, successful exploitation could affect critical business operations and regulatory compliance, especially under GDPR requirements for data protection.

1. Immediately apply all available security patches and updates from Microsoft addressing CVE-2025-53770 and CVE-2025-53771 to eliminate the underlying vulnerabilities. 2. Implement network-level monitoring using Zeek or similar tools to identify suspicious HTTP POST requests targeting /_layouts/15/ToolPane.aspx and /_layouts/16/ToolPane.aspx endpoints, especially those with Referer headers indicating SignOut.aspx and non-empty request bodies. 3. Deploy packet capture solutions like DaemonLogger to collect and archive network traffic for retrospective analysis and hunting of in-memory payloads. 4. Use Wireshark or automated scripts to decode suspicious payloads embedded in HTTP parameters by performing URL decoding, base64 decoding, and decompression to identify malicious DLLs or PowerShell commands. 5. Enhance endpoint detection capabilities to include memory analysis and behavior-based detection to identify in-memory execution of malicious code. 6. Restrict and monitor outbound network traffic on unusual ports (e.g., 40443) to detect potential data exfiltration attempts. 7. Conduct regular threat hunting exercises focusing on SharePoint servers, leveraging the described detection methodology to proactively identify compromise. 8. Limit SharePoint server exposure by restricting access to trusted networks and enforcing strict authentication and authorization policies. 9. Maintain comprehensive logging and correlate logs across network and endpoint devices to detect anomalous activities related to SharePoint exploitation. 10. Educate security teams on the evolving ToolShell threat landscape and update incident response playbooks accordingly.