On July 18, 2025, Sophos MDR (Managed Detection and Response) analysts observed an influx of malicious activity targeting on-premises SharePoint instances, including malicious PowerShell commands executed across multiple estates. Additional analysis determined these events are likely the result of active, malicious deployment of an exploit leveraging ‘ToolShell.’
We will update this page as events and understanding develop, including our threat and detection guidance.
16:23 UTC 22-07-2025 Update: Information on first known exploitation (“What we’ve seen”) and further details/clarification on attack activity; further details on protections (“What to do”), and the release of a public proof-of-concept (“What’s next”).
ToolShell collectively refers to the chained exploitation of two SharePoint vulnerabilities, CVE-2025-49704 and CVE-2025-49706. The ToolShell exploit was unveiled at the Pwn2Own event in Berlin in May 2025, and Microsoft released patches for both vulnerabilities in its July Patch Tuesday release.
However, threat actors are in fact using ToolShell to exploit a new 0-day vulnerability, leading to the publication of two new CVE-IDs: CVE-2025-53770 and CVE-2025-53771.
Sophos MDR has contacted all known victims, but with these vulnerabilities under active exploitation we urge users to apply the applicable patches to on-premises SharePoint servers (according to Microsoft, SharePoint Online in Microsoft 365 is not impacted) at the earliest opportunity.
What we’ve seen
The malicious PowerShell commands observed by Sophos MDR drop a malicious aspx file at the following paths on an impacted SharePoint server:
C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx C:\progra~1\common~1\micros~1\webser~1\16\template\layouts\info3.aspx
In the cases recently observed by Sophos, a webshell was used to target the machines’ cryptographic keys and detected as Troj/WebShel-P when written to disk. Once acquired, these keys can be used by a tool known as SharpViewStateShell for remote code execution. The info3.aspx webshell provides traditional direct capabilities, such as remote command execution and file uploads.
Beginning on July 21, we also observed the variants spinstallp.aspx and spinstallb.aspx, which use a hardcoded XOR key as a password to run Base64-encoded PowerShell commands from a request form field. We expect additional tools and techniques to be leveraged, as additional threat actors attempt to take advantage of the vulnerability.
In some cases, where threat actors’ webshells aren’t detected and they have attempted to access machine keys (ValidationKey and DecryptionKey), the Sophos protection Access_3b is triggered as another layer of behavioral control. In the event the machine keys are compromised, it will be necessary to rotate these keys using the guidance provided by Microsoft.
Digging into our telemetry, we believe that mass exploitation began to occur on July 18, 2025, likely corresponding to automated exploitation attempts. However, Sophos threat researchers noted what appears to be related attack activity against a customer based in the Middle East over 24 hours earlier, on July 17 at around 0820 UTC. The activity we observed was indicative of a threat actor attempting to run discovery commands on an exploited server, which our behavioral protection blocked.
The command executed was:
cmd.exe /c whoami > c:\progra~1\common~1\micros~1\webser~1\16\template\layouts\a.txt
This aligns with reporting from SentinelOne (same command and folder, albeit a different filename), although we should note that we don’t currently have evidence to confirm that the machine was exploited through the specific vulnerabilities mentioned here. While we’re not claiming that this was the first exploitation (we are conducting further investigations into this, as no doubt are other researchers), July 17 is also consistent with SentinelOne’s findings.
More broadly to date, Sophos has observed 84 unique customer organizations being targeted, across 21 countries and in every geographical region. The sectors involved are also widely distributed, with the heaviest concentrations in education, government, services, and transportation respectively.
What to do
Customers running on-premises SharePoint instances are advised to apply the official patches from Microsoft and follow the supplied recommendations for mitigation. Users unable to patch for whatever reason should consider taking instances offline temporarily.
Patches for SharePoint Enterprise Server 2016 and SharePoint Server 2019 are now available as of 21 July.
Additionally, we recommend that users check for the existence of the files we mentioned above, and if present, remove them. Users should be advised that there may be additional variations that Sophos has not yet observed; this list should not be treated as complete.
Sophos has the following protections available:
- Access_3b: A behavioural rule that protects against attacks exploiting public-facing servers
- Persist_26c: A behavioral rule that protects against lolbin execution via webshells written to disk
- Troj/Webshel-P: Protects against the common ASP webshells seen deployed in attacks against vulnerable SharePoint installations
- Troj/ASPDmp-A: Protects against ASP that extracts and dumps machine keys
- AMSI/ASPDmp-A: As part of AMSI Protection, AMSI/ASPDmp-A blocks attempts to drop malicious aspx files
What next
Sophos MDR will continue to actively monitor for signs of post-exploitation activity linked to this vulnerability. It’s worth noting that there is now a public proof-of-concept exploit, so we may see new variants of this attack in the coming days and weeks. We will publish updates on this page as further relevant information becomes available.
