A devastating vulnerability chain targeting Microsoft SharePoint servers has swept across the global enterprise landscape, compromising more than 400 systems in a matter of hours. The exploit, dubbed “ToolShell,” combines two critical security flaws — CVE-2025-49706 and CVE-2025-49704 — to steal server cryptographic keys and achieve unauthenticated remote code execution on unpatched SharePoint servers worldwide.
Eye Security, a Dutch cybersecurity firm, first identified the mass exploitation on the evening of July 18, 2025, around 18:06 UTC. The speed and scale of the attack startled researchers, who noted one of the most rapid transitions from proof-of-concept to mass exploitation in recent memory. Bitcoin was trading at $118,003 at the time, and the broader crypto market — including Ethereum at $3,549 — remained largely unaffected, as the attack targeted traditional enterprise infrastructure rather than blockchain networks.
The Exploit Mechanics
The ToolShell chain leverages two distinct vulnerabilities working in tandem. CVE-2025-49706 enables an authentication bypass, while CVE-2025-49704 exploits a deserialization flaw to achieve remote code execution. Together, they allow an attacker to gain complete control of a SharePoint server without any valid credentials.
The attack targets the /_layouts/15/ToolPane.aspx endpoint, which handles SharePoint’s web part configuration. Unlike conventional web shells designed primarily for command execution, the ToolShell payload specifically extracts sensitive cryptographic keys — including the server’s ValidationKey and DecryptionKey — from SharePoint’s configuration. “This wasn’t your typical webshell,” explained Eye Security researchers. “The attacker turns SharePoint’s inherent trust in its own configuration into a powerful weapon.”
Once these cryptographic secrets are obtained, attackers can craft valid __VIEWSTATE payloads to achieve full remote code execution. By digitally signing malicious payloads with the stolen ValidationKey, the attacker ensures that SharePoint automatically accepts the input as legitimate, bypassing all existing security controls.
Affected Systems
Eye Security scanned over 23,000 SharePoint servers worldwide following their discovery. The results were alarming: more than 400 systems were confirmed compromised across four distinct waves of attack. The initial testing wave began on July 17 at 12:51 UTC from IP address 96.9.125.147, followed by a widely successful first wave on July 18 at 18:06 UTC from 107.191.58.76. A second wave struck on July 19 at 07:28 UTC from 104.238.159.149, with multiple additional waves continuing from July 21 onward.
Perhaps more concerning is the finding that over 8,000 SharePoint servers remain exposed online, creating a vast attack surface for continued exploitation. The vulnerabilities were originally demonstrated at Pwn2Own Berlin 2025 by researchers from CODE WHITE GmbH, a German offensive security firm. Microsoft released patches on July 8, 2025, but the patching lag left thousands of systems vulnerable.
The Mitigation Strategy
Organizations running on-premise SharePoint servers must take immediate action. The primary mitigation involves applying Microsoft’s security patches released on July 8 and the subsequent out-of-band update on July 19 that addressed bypass variants. However, researchers emphasize that patching alone is insufficient if an attacker has already established persistence.
Security teams should conduct thorough compromise assessments, examining SharePoint server logs for unusual access to the ToolPane.aspx endpoint, unexpected __VIEWSTATE payloads, and any newly created suspicious files in web directories. Organizations should also rotate cryptographic keys on affected servers, as compromised ValidationKey and DecryptionKey materials may persist even after patching.
Lessons Learned
The ToolShell incident underscores several critical cybersecurity lessons. First, the 72-hour window from public disclosure to mass exploitation demonstrates that threat actors are operating at unprecedented speed. Organizations can no longer afford weeks-long patching cycles. Second, the attack highlights the risks of leaving enterprise collaboration platforms exposed to the internet without additional protective layers. Third, the incident reveals how cryptographic key management in web applications remains a systemic weakness that extends beyond blockchain ecosystems into enterprise infrastructure.
User Action Required
If your organization runs Microsoft SharePoint Server on-premise, take these steps immediately: apply all available security patches, conduct a compromise assessment using indicators of compromise published by Eye Security and Microsoft, rotate server cryptographic keys, and consider placing SharePoint behind a web application firewall with enhanced monitoring rules for the ToolPane.aspx endpoint. Do not assume that patching alone resolves the issue — if an attacker has already established a backdoor, the patch does not remove their access.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
This is the kind of content that keeps me coming back. Thoughtful analysis without the hype is rare in crypto media
The infrastructure being built now will look obvious in hindsight. We are still early despite what the price charts suggest
Every cycle the same pattern repeats: build during the bear, ship during the bull, get criticized during the next bear for not building enough
This is a brutal reminder of why key management is the foundation of all security. If you can’t protect the root of trust, everything else is just theater. It’s wild that SharePoint allowed for unauthenticated takeover like this, and it really highlights why we need more robust, hardware-based security standards across the board.
400 systems in hours. the gap between PoC and mass exploitation is getting dangerously short
Centralized tech continues to be a house of cards. This SharePoint exploit is exactly why decentralization isn’t just a meme—it’s a security necessity. When one stolen key gives you the keys to the kingdom, the system is fundamentally broken. Great write-up on a very scary vulnerability, definitely sharing this with my team.
ToolShell extracting ValidationKey and DecryptionKey instead of just running commands. these attackers were thinking long term
Imagine trusting your enterprise data to a system where a single cryptographic failure leads to a total server takeover. This is why I’m so bullish on ZK-proofs and decentralized identity. We need systems where trust is mathematically verified, not just assumed because it’s a ‘trusted’ vendor like Microsoft. Absolute madness.