Microsoft Scrambles to Patch Critical SharePoint Zero-Days Amid Global 'ToolShell' Attack Surge
Share this article
Emergency SharePoint Patches Deployed as Zero-Day Exploits Bypass Earlier Fixes
In a high-stakes response to escalating cyber threats, Microsoft has rushed out-of-band security updates for critical SharePoint vulnerabilities actively weaponized in global attacks. The flaws—tracked as CVE-2025-53770 and CVE-2025-53771—enable remote code execution (RCE) and have been exploited in a campaign dubbed "ToolShell," compromising at least 54 organizations. This development comes just two months after similar vulnerabilities were demonstrated at May's Pwn2Own Berlin hacking contest, underscoring how threat actors rapidly adapted to circumvent Microsoft's initial July Patch Tuesday fixes.
The ToolShell Attack Vector: Bypassing Defenses
The ToolShell exploits manipulate SharePoint's handling of web components to execute arbitrary code on servers. Attackers chain the vulnerabilities to upload malicious files—notably spinstall0.aspx—to the LAYOUTS directory, leveraging paths like _layouts/15/ToolPane.aspx for initial access. Microsoft confirmed the sophistication in its advisory:
"The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706."
This admission reveals a troubling pattern: attackers reverse-engineered prior patches to develop new zero-days, exploiting the narrow window between disclosure and comprehensive remediation.
Critical Remediation Steps for Admins
Microsoft has released patches for SharePoint Subscription Edition (KB5002768) and SharePoint 2019 (KB5002754), but SharePoint 2016 remains vulnerable until updates arrive. Beyond patching, admins must immediately rotate SharePoint machine keys to invalidate compromised credentials. Two methods are available:
1. Via PowerShell:
Update-SPMachineKey
2. Via Central Administration:
- Navigate to Central Administration → Monitoring → Review job definition
- Locate "Machine Key Rotation Job" and select "Run Now"
- Restart IIS on all servers using iisreset.exe
Post-patch, organizations should scour systems for indicators of compromise (IOCs), including:
- File creation: C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx
- Suspicious IIS logs: POST requests to _layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx with a referer of _layouts/SignOut.aspx
Microsoft provides this Defender query for detection:
DeviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx" or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc
The Bigger Picture: Patch Evasion and Enterprise Risk
This incident exemplifies how enterprise platforms like SharePoint—integral to document management and collaboration—remain prime targets due to their complexity and connectivity. The ToolShell campaign’s success in bypassing recent patches signals a dangerous evolution in exploit development, where attackers treat security updates as blueprints for new attacks. For developers and infrastructure teams, it reinforces non-negotiable practices:
- Zero-trust validation: Treat all patches as interim solutions; assume future bypasses.
- Layered defense: Combine patching with rigorous log analysis and behavioral monitoring.
- Automated rotation: Integrate key rotation into patch deployment workflows to minimize exposure.
As supply chain attacks grow more audacious, the burden falls on admins to transform reactive patching into proactive resilience—because the next zero-day is already in the wild.
Source: BleepingComputer