The ToolShell exploit chain is a sophisticated attack targeting on-premises Microsoft SharePoint Server versions 2016, 2019, and Subscription editions by exploiting two critical vulnerabilities: CVE-2025-53770 (deserialization vulnerability) and CVE-2025-53771 (authentication bypass). Initially, attackers deployed web shells by uploading malicious files to the SharePoint server’s file system, which were detectable by Endpoint Detection and Response (EDR) tools. To evade detection, attackers evolved their tactics to execute payloads entirely in-memory, making traditional file-based detection ineffective. The in-memory payloads typically consist of malicious .NET Dynamic-link Libraries (DLLs) such as osvmhdfl.dll and jlaneafi.dll, as well as encoded PowerShell commands designed to extract sensitive machine keys and system information. These payloads are delivered via HTTP POST requests to specific SharePoint URLs (e.g., /_layouts/15/ToolPane.aspx) with crafted parameters like MSOtlPn_DWP containing compressed and encoded data tables. Detection and analysis require network traffic inspection using Zeek to identify suspicious POST requests, merging PCAP files captured by DaemonLogger, and detailed packet analysis with Wireshark to decode and extract the malicious payloads. Decoding involves URL decoding, base64 decoding, and decompression to reveal the malicious DLLs or PowerShell commands. The decoded PowerShell commands can exfiltrate system information to attacker-controlled servers over non-standard ports. While no widespread exploitation has been reported, the threat actors’ shift to in-memory execution significantly complicates detection and response efforts. The article also references the use of Project Discovery’s Nuclei scanner templates to identify vulnerable servers actively. This threat highlights the importance of proactive hunting and monitoring for anomalous HTTP requests and payloads in SharePoint environments. Organizations should also review official advisories and apply patches once available to remediate the underlying vulnerabilities.

For European organizations, the ToolShell exploit chain poses a significant risk to the confidentiality and integrity of sensitive data hosted on on-premises SharePoint servers. Successful exploitation can lead to unauthorized extraction of machine keys and system information, potentially enabling further lateral movement or persistent access within enterprise networks. The in-memory execution of payloads complicates detection by traditional endpoint security solutions, increasing the likelihood of prolonged undetected compromise. This can result in data breaches, intellectual property theft, and disruption of collaboration services critical to business operations. Given SharePoint's widespread use across European public sector, financial institutions, and large enterprises, the impact could be substantial, especially in sectors handling sensitive personal data protected under GDPR. Additionally, the ability of payloads to exfiltrate data over covert channels (e.g., non-standard ports) may bypass network monitoring controls. The threat also raises concerns about supply chain and third-party risks where managed service providers host vulnerable SharePoint instances. While no known widespread exploitation is reported, the medium severity rating reflects the potential for impactful attacks if defenses are not strengthened.

1. Immediate deployment of patches and security updates from Microsoft addressing CVE-2025-53770 and CVE-2025-53771 as soon as they become available. 2. Implement network-level monitoring for suspicious HTTP POST requests targeting SharePoint URLs such as /_layouts/15/ToolPane.aspx and /_layouts/16/ToolPane.aspx, focusing on unusual Referer headers and non-empty request bodies. 3. Use Zeek Network Security Monitor to analyze HTTP logs for indicators of ToolShell payloads, employing scripts or tools like zcutter.py to process compressed logs efficiently. 4. Capture and merge PCAP files daily using DaemonLogger and mergecap to facilitate detailed packet inspection with Wireshark, enabling decoding of suspicious payloads. 5. Develop and deploy custom detection signatures or Nuclei scanner templates tailored to identify ToolShell exploit attempts and in-memory payloads. 6. Enhance endpoint detection capabilities to monitor for anomalous in-memory execution of .NET DLLs and PowerShell commands, possibly leveraging behavior-based detection or EDR solutions with memory analysis features. 7. Restrict outbound network traffic from SharePoint servers, especially to uncommon ports like 40443, to limit data exfiltration channels. 8. Conduct regular threat hunting exercises using the described decoding and analysis methodology to proactively identify compromised systems. 9. Harden SharePoint server configurations by disabling unnecessary features and enforcing strict authentication and authorization policies. 10. Educate security teams on the evolving tactics of threat actors using in-memory payloads to improve incident response readiness.