CISA Warns of ‘ToolShell’ Exploitation Chain Targeting SharePoint Servers; IOCs and Detections Released

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding an exploitation chain dubbed “ToolShell” targeting on-premises Microsoft SharePoint servers.

It leverages multiple vulnerabilities including CVE-2025-49704 (a remote code execution flaw via code injection, CWE-94), CVE-2025-49706 (improper authentication through network spoofing, CWE-287), CVE-2025-53770 (deserialization of untrusted data, CWE-502), and CVE-2025-53771 (another improper authentication issue, CWE-287).

According to the analysis, threat actors chain CVE-2025-49706 with CVE-2025-49704 to gain unauthorized access, while CVE-2025-53770 and CVE-2025-53771 enable bypassing prior mitigations, potentially allowing stealthy persistence.

CISA’s Malware Analysis Report (MAR-251132.c1.v1) details six submitted files two Base64-encoded .NET DLLs and four ASPX files used in these attacks, emphasizing the extraction of cryptographic secrets like machine keys from ASP.NET configurations, which are then added to HTTP response headers for exfiltration.

This chain, linked to actors such as Linen Typhoon, Violet Typhoon, and Storm-2603, facilitates webshell deployment, command execution, and ...