On July 18, 2025, Sophos MDR (Managed Detection and Response) analysts observed an influx of malicious activity targeting on-premises SharePoint instances, including malicious PowerShell commands executed across multiple estates. Additional analysis determined these events are likely the result of active, malicious deployment of an exploit known as ‘ToolShell.’
ToolShell collectively refers to the chained exploitation of two SharePoint vulnerabilities, CVE-2025-49704 and CVE-2025-49706. The ToolShell exploit was unveiled at the Pwn2Own event in Berlin in May 2025, and Microsoft released patches for both vulnerabilities in its July Patch Tuesday release.
However, threat actors subsequently developed exploits that appear to bypass these patches, leading to the publication of two new CVE-IDs: CVE-2025-53770 and CVE-2025-53771.
Sophos MDR has contacted all known victims, but with these vulnerabilities under active exploitation we urge users to apply the applicable patches to on-premises SharePoint servers (according to Microsoft, SharePoint Online in Microsoft 365 is not impacted) at the earliest opportunity.
What we’ve seen
The malicious PowerShell commands observed by Sophos MDR drop a malicious aspx file at the following paths on an impacted SharePoint server:
C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx C:\progra~1\common~1\micros~1\webser~1\16\template\layouts\info3.aspx
While threat actors may choose to deploy many different tools, in the cases recently observed by Sophos, a webshell known as SharpViewStateShell was deployed and detected as Troj/WebShel-P.
In some cases, the threat actors have attempted to access machine keys by deploying a webshell via PowerShell, which triggers the Sophos protection Access_3b. In the event the machine keys are compromised, it will be necessary to rotate these keys using the guidance provided by Microsoft.
What to do
Customers running on-premises SharePoint instances are advised to apply the official patches from Microsoft and follow the supplied recommendations for mitigation. Users unable to patch for whatever reason should consider taking instances offline temporarily.
Additionally, we recommend that users check for the existence of the files we mentioned above, and if present, remove them. Users should be advised that there may be additional variations that Sophos has not yet observed; this list should not be treated as complete.
What next
Sophos MDR will continue to actively monitor for signs of post-exploitation activity linked to this vulnerability. We will publish updates on this page as further relevant information becomes available.
