ToolShell: Uncovering Five Critical Vulnerabilities in Microsoft SharePoint

Security researchers from Kaspersky have detailed a sophisticated exploit chain dubbed “ToolShell,” actively targeting on-premise Microsoft SharePoint servers worldwide.

The campaign, which began widespread exploitation leverages an unauthenticated remote code execution (RCE) chain involving CVE-2025-49704 and CVE-2025-49706, enabling attackers to seize full control of vulnerable systems.

Alerts from various security firms and national CERTs highlight attacks spanning Egypt, Jordan, Russia, Vietnam, and Zambia, impacting sectors including government, finance, manufacturing, forestry, and agriculture.

Kaspersky’s proactive detection mechanisms blocked these intrusions, providing telemetry that maps the campaign’s global footprint.

Analysis of a publicly available POST request dump confirmed it delivers a malicious payload to the “/_layouts/15/ToolPane.aspx” endpoint, embedding parameters “MSOtlPn_Uri” and “MSOtlPn_DWP” that trigger deserialization flaws without authentication.

Authentication Bypass

At the core of ToolShell is CVE-2025-49706, a spoofing vulnerability in the PostAuthenticateRequestHandler method of Microsoft.SharePoint.dll, exploiting IIS integrated ...