Get Started
Platform
Why SentinelOne?
Services
Partners
Resources
About
Pricing
Get Started

Defending Against ToolShell: SharePoint’s Latest Critical Vulnerability

by SentinelOne

A new, critical zero-day vulnerability dubbed “ToolShell” (CVE-2025-53770) poses a significant threat to on-premises SharePoint Server deployments. This vulnerability enables unauthenticated remote code execution (RCE), posing a significant risk to organizations worldwide. SentinelOne has detected exploitation in the wild, elevating the active threat posed by this new attack and the importance of organizations taking mitigative action as soon as possible.

In this blog, we outline ways to defend against ToolShell and how SentinelOne keeps you ahead of the curve for this critical vulnerability. For a comprehensive technical breakdown of this threat, we published a detailed analysis on the SentinelLABS blog.

What is ToolShell?

ToolShell is a critical zero-day remote code execution vulnerability impacting on-premises SharePoint Servers. Its severity stems from several key characteristics:

  • Zero-Day Status: It was previously unknown and unpatched, leaving organizations exposed before official fixes were available.
  • High CVSS Score (9.8): This indicates near-maximum severity, signifying a critical vulnerability with a high impact.
  • No Authentication Required: Attackers can exploit ToolShell without needing valid credentials, making it incredibly easy to compromise vulnerable systems.
  • Remote Code Execution (RCE): Successful exploitation grants attackers the ability to execute arbitrary code on the compromised SharePoint Server, potentially leading to full system control, data exfiltration, or further lateral movement across the network.
  • In-the-Wild Exploitation: Threat actors are already actively leveraging this vulnerability, highlighting the immediate and tangible danger it poses.

SentinelOne’s Defense Against ToolShell

At SentinelOne, our commitment to proactive security means we are constantly working to identify and neutralize emerging threats, such as ToolShell, often before they become widespread news. SentinelOne was aware and working to defend our customers from ToolShell two days prior to the public announcement of the vulnerability.  This integrated approach ensures that SentinelOne customers are protected from the outset:

  • SentinelOne’s Identification and Breakdown of the Vulnerability: Our world-class threat research team, SentinelLABS, along with our MDR team, swiftly identified and performed an in-depth technical analysis of the ToolShell vulnerability. This early insight is critical for developing effective countermeasures.
  • Out-of-the-Box Detection Logic for SentinelOne Customers: Based on the detailed analysis from SentinelLABS, our engineering teams rapidly developed and implemented robust, out-of-the-box detection logic directly into the SentinelOne platform. This means that SentinelOne customers automatically received protection against ToolShell.
  • Seamless IOC Integration: The IOCs identified by SentinelLABS are automatically integrated into the SentinelOne platform, enhancing its ability to detect and prevent ToolShell-related activity across all monitored endpoints.
  • Hunting Queries for Singularity Platform Users: For security teams leveraging the SentinelOne Singularity Platform, we have made specific hunting queries available below, as well as in our technical breakdown of this vulnerability. These queries empower security analysts to proactively search for any signs of ToolShell activity within their environments, ensuring comprehensive visibility and enabling rapid response.
  • Proactive Detection Through Singularity Vulnerability Management: SentinelOne customers who use Singularity Vulnerability Management can also detect instances of ToolShell within their environment, enabling teams to identify and mitigate the vulnerability before it is exploited during an active attack.

How to Defend Against ToolShell

Given the critical nature of ToolShell, we strongly recommend that organizations implement a multi-layered defense strategy. Proactive measures are crucial to mitigate the risk of compromise:

Immediate Mitigation & Patching:

  • Isolate SharePoint instances from public availability: Whenever possible, restrict access to on-premises SharePoint Servers from the public internet. This significantly reduces your attack surface.
  • Enable Antimalware Scan Interface (AMSI) in Full Mode: The Antimalware Scan Interface (AMSI) is an interface standard that enables SharePoint to integrate with your endpoint protection solution’s scanning capabilities. While AMSI was enabled by default in the September 2023 SharePoint update, organizations that do not have this capability configured should enable the integration as soon as possible.
  • Apply available patches immediately: Microsoft has released security updates to address ToolShell for SharePoint Subscription and 2019 versions. Organizations should prioritize and deploy these patches as soon as possible.

Enhanced Detection and Monitoring:

  • Integrate Indicators of Compromise (IOCs): SentinelLABS has provided specific IOCs related to the ToolShell exploitation, as detailed below and in SentinelOne’s technical breakdown. These should be promptly added to your EDR/XDR and SIEM toolsets for detecting potential exploitation in your environment. SentinelOne customers are encouraged to enable the platform detection rules for ToolShell that have already been added to your Platform Detection Library.
  • Monitor for Suspicious SharePoint Behavior: Deploy custom detection rules to monitor key SharePoint directories, specifically the `LAYOUTS` directory, to detect the presence of exploitation and the subsequent web shell. For SentinelOne users, relevant rules are provided in the Platform Detection Library.
  • Retroactive Threat Hunting: If you are currently running on-premises SharePoint Server, retroactive threat hunting for ToolShell exploitation is highly recommended.

Conclusion

ToolShell represents a significant vulnerability that leaves many organizations running on-premises SharePoint Server at considerable risk. The potential for unauthenticated remote code execution, coupled with observed in-the-wild exploitation, underscores the urgent need for organizations to take decisive action to maintain their security posture. This includes diligently applying patches, implementing robust monitoring, and leveraging advanced threat detection capabilities to mitigate the risk.

For SentinelOne customers, you can rest assured that you are protected. Our dedicated threat research and MDR teams work tirelessly to stay one step ahead of adversaries, ensuring that our platform provides immediate and effective defense against emerging threats, such as ToolShell. Our proactive identification, rapid deployment of detection logic, and continuous sharing of intelligence empower our customers to maintain a resilient security posture.

Contact SentinelOne today to learn how our AI-powered security platform can provide the comprehensive protection and peace of mind your organization deserves. Don’t wait for the next zero-day; secure your future today.

Indicators of Compromise

SHA-1

f5b60a8ead96703080e73a1f79c3e70ff44df271 – spinstall0.aspx webshell
fe3a3042890c1f11361368aeb2cc12647a6fdae1 – xxx.aspx webshell
76746b48a78a3828b64924f4aedca2e4c49b6735 – App_Web_spinstall0.aspx.9c9699a8.avz5nq6f.dll, a compiled version of spinstall0.aspx

IP Addresses

96.9.125[.]147 – attacker IP from “no shell” cluster
107.191.58[.]76 – attacker IP used in 1st wave of spinstall0.aspx cluster
104.238.159[.]149 – attacker IP used in 2nd wave of spinstall0.aspx cluster

New SentinelOne Platform Detection Rules

  • Web Shell Creation in LAYOUTS Directory
  • Web Shell File Detected in LAYOUTS Directory
  • Suspicious Process Spawned by SharePoint IIS Worker Process

SentinelOne Platform Hunting Queries

//Suspicious SharePoint Activity

dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.parent.name contains "svchost.exe" and src.process.name contains "w3wp.exe" and tgt.process.name contains "cmd.exe" and src.process.cmdline contains "SharePoint"

//spinstall0.aspx execution traces

dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.name contains "csc.exe" and tgt.file.path contains "App_Web_spinstall0.aspx"

Disclaimer

All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third-party.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Read More

Get a demo

Defeat every attack, at every stage of the threat lifecycle with SentinelOne

Book a demo and see the world’s most advanced cybersecurity platform in action.

Get Demo

SentinelLabs

SentinelLabs: Threat Intel & Malware Analysis

We are hunters, reversers, exploit developers, & tinkerers shedding light on the vast world of malware, exploits, APTs, & cybercrime across all platforms.

VISIT SITE