SharePoint 2025: ToolShell In-Memory Exploit Bypasses Defenses
Executive Summary
In August 2025, Microsoft SharePoint servers were targeted by an advanced exploit chain known as ToolShell, leveraging newly disclosed vulnerabilities CVE-2025-53770 and CVE-2025-53771. Threat actors bypassed authentication and exploited deserialization flaws on on-premises SharePoint Server 2016, 2019, and Subscription editions. Initial attacks involved file-based web shells easily detected by EDRs, but adversaries quickly shifted to highly evasive in-memory payloads, rendering detection challenging and enabling the extraction of machine keys or the execution of PowerShell commands for data exfiltration and deeper system compromise. The incident underscores the growing risks of sophisticated post-exploit activity and lack of robust network detection.
This breach highlights a wider threat: attackers are increasingly adapting their techniques to evade endpoint protections by using fileless, memory-resident malware and targeting enterprise collaboration platforms. As such attack patterns spread, organizations must urgently reinforce defenses and monitor network-level traffic for signs of exploitation, especially with remote work and critical business data gravitating to such platforms.
Why This Matters Now
ToolShell-style in-memory attacks are on the rise, empowering threat actors to bypass traditional endpoint defenses and exploit unpatched enterprise applications. Organizations must urgently address known vulnerabilities, improve network monitoring, and recognize that fileless techniques can escape routine security controls, making proactive detection a necessity.
Attack Path Analysis
The attacker compromised a vulnerable SharePoint server by exploiting chained deserialization and authentication bypass flaws (CVE-2025-53770, CVE-2025-53771) via crafted HTTP POST requests. After gaining initial access, they deployed in-memory malicious payloads that enabled further privilege escalation, likely extracting sensitive credentials or configuration for deeper access. Lateral movement was attempted within the environment, with evidence of encoded PowerShell commands and .NET DLL payloads probing for additional hosts or internal data. Command & Control was established through HTTP POST requests and encoded responses to exfiltrate information or receive further commands. Exfiltration occurred covertly, as attacker payloads were designed to extract machine keys and system data back via HTTP, potentially using ports like 40443. Impact involved the theft of sensitive information and potential for persistence or secondary actions, but no evidence of destructive actions was observed.
Kill Chain Progression
Initial Compromise
Description
Exploited SharePoint server deserialization and authentication bypass vulnerabilities (CVE-2025-53770, CVE-2025-53771) via HTTP POST containing crafted payloads to gain initial access.
Related CVEs
CVE-2025-53770
CVSS 9.8A critical deserialization vulnerability in Microsoft SharePoint Server allows unauthenticated remote code execution.
Affected Products:
Microsoft SharePoint Server 2016 – All builds with the September 2023 security update or later
Microsoft SharePoint Server 2019 – All builds with the September 2023 security update or later
Microsoft SharePoint Server Subscription Edition – Version 23H2 or later
Exploit Status:
exploited in the wildCVE-2025-53771
CVSS 6.3A spoofing vulnerability in Microsoft SharePoint Server allows attackers to bypass authentication mechanisms.
Affected Products:
Microsoft SharePoint Server 2016 – All builds with the September 2023 security update or later
Microsoft SharePoint Server 2019 – All builds with the September 2023 security update or later
Microsoft SharePoint Server Subscription Edition – Version 23H2 or later
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Create Account: Domain Account
Process Injection: Process Memory
Command and Scripting Interpreter: PowerShell
Obfuscated Files or Information
Native API
Exploitation for Defense Evasion
Phishing: Spearphishing Attachment
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Management Processes
Control ID: 6.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 12
CISA Zero Trust Maturity Model 2.0 – Application Security and Segmentation
Control ID: Identity Pillar - Authentication, Authorization, and Access Controls
NIS2 Directive – Technical and Operational Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
SharePoint ToolShell vulnerability exploitation targeting deserialization flaws creates critical risks for government data integrity, compliance violations, and potential lateral movement within secure networks.
Financial Services
In-memory payload execution bypassing EDR detection poses severe threats to financial data protection, regulatory compliance, and could enable unauthorized access to sensitive transaction systems.
Health Care / Life Sciences
Undetectable SharePoint exploits threaten patient data confidentiality, HIPAA compliance requirements, and could compromise critical healthcare infrastructure through advanced persistent threat techniques.
Higher Education/Acadamia
Educational institutions using SharePoint face significant exposure to CVE-2025-53770/53771 exploitation, risking student data breaches and research intellectual property theft through sophisticated attack vectors.
Sources
- [Guest Diary] Hunting for SharePoint In-Memory ToolShell Payloads, (Tue, Dec 2nd)https://isc.sans.edu/diary/rss/32524Verified
- Customer guidance for SharePoint vulnerability CVE-2025-53770https://www.microsoft.com/en-us/msrc/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770Verified
- Critical Vulnerabilities in Microsoft SharePointhttps://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-075Verified
- Microsoft SharePoint Server Remote Code Execution Zero-Day Vulnerability: CVE-2025-53770 & CVE-2025-53771https://www.cynet.com/blog/cve-2025-53770/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust and CNSF controls such as east-west segmentation, egress policy enforcement, inline threat prevention, and multi-cloud visibility would have limited the blast radius of the SharePoint exploit, prevented lateral expansion, and detected suspicious payloads even when executed in-memory.
Control: Cloud Firewall (ACF) + Inline IPS (Suricata)
Mitigation: Blocked or alerted on exploit and known-bad web payloads targeting vulnerable endpoints.
Control: Threat Detection & Anomaly Response
Mitigation: Flagged anomalous process or traffic patterns indicative of privilege escalation.
Control: Zero Trust Segmentation + East-West Traffic Security
Mitigation: Restricted lateral movement between workloads and segments.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked suspicious outbound communications and unauthorized egress traffic.
Control: Egress Security & Policy Enforcement + Encrypted Traffic (HPE)
Mitigation: Prevented or detected outbound exfiltration of sensitive data.
Accelerated detection of breached assets and reduced dwell time.
Impact at a Glance
Affected Business Functions
- Document Management
- Collaboration Platforms
- Internal Communications
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive internal documents, user credentials, and proprietary information due to unauthorized access facilitated by the vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Apply virtual patching and inline IPS to block exploitation of known vulnerabilities at the perimeter.
- • Enforce Zero Trust Segmentation and east-west controls to contain movement if initial access occurs.
- • Implement strict egress policies and continuous threat monitoring to disrupt C2 and data exfiltration channels.
- • Maintain full visibility of workload-to-workload and application traffic using centralized multi-cloud observability.
- • Routinely audit and harden cloud workloads, emphasizing runtime controls and rapid vulnerability mitigation for exposed applications.
