Attacks on Microsoft Sharepoint: What admins need to do after patching

Contents

The currently observed attacks on SharePoint servers exploit a vulnerability in local installations of Microsoft SharePoint (CVE-2025-53770) that was unknown until July 20, 2025. As there was no update to protect against this until recently – this was a zero-day vulnerability –, attackers were able to take over the vulnerable systems at will and embed themselves there. This problem is not eliminated by applying the patches. Attackers could still gain access to the Sharepoint server and other systems.

We describe how the attackers have proceeded in their previous attacks, what traces they have left behind and how you can specifically track them down to find out whether your own company is affected. We then provide tips for the targeted search and cleaning of affected systems. If you would like to skip the summary, continue reading directly at "What those affected should do now".

What has happened

Attackers exploit a combination of several vulnerabilities to execute arbitrary code on SharePoint servers without authentication. Specially crafted HTTP requests are used to write an ASPX webshell to the SharePoint file system, which can then be used to execute arbitrary commands. The best-known campaign uses a webshell with the name spinstall0.aspx. Palo Alto Networks also described at least two other exploit variants –, including variants with slightly different names, the use of sleep() and the storage of configuration data in files such as debug_dev.js.

The exploited vulnerability only affects on-premises installations of SharePoint. Cloud-based variants such as SharePoint Online (Microsoft 365) are not affected. It is currently not known why these are not vulnerable.

Über den Autor

Florian Roth ist CTO der Nextron Systems GmbH. Er ist ein international renommierter Experte für das Aufspüren von fortgeschrittenen Angreifern und Schöpfer des APT Scanners Thor. Roth ist besonders bekannt für seine Yara-Regeln; er hat aber zusammen mit Thomas Patzke auch das Sigma-Projekt für die Analyse von Logfiles gegründet.

The situation: Many systems compromised

Despite the public warnings, hundreds of vulnerable SharePoint systems are still accessible on the internet. Lists of already compromised systems are circulating in relevant circles, including the associated webshells, which are publicly accessible and usable. It can be assumed that these systems will receive an uninvited visit sooner rather than later.

So far, the attacks appear to have focused on the government, education, healthcare and large corporate sectors. However, the first proof-of-concepts exploits of the vulnerability have already been published. These also make it possible for other attacker groups to exploit the gaps. It is to be expected that cybercrime gangs in particular will jump on the bandwagon and spread the attacks. Immediate patching of servers is therefore essential, unpatchable servers should be disconnected from the Internet.

As the exploits have already been published and are being passed on in the relevant circles, we see no point in withholding this important information from the defenders.

• PoC 1
• PoC 2

Attack indicators (IoCs)

The attacks are carried out via a POST request to

/_layouts/15/ToolPane.aspx

with an HTTP referer header

/_layouts/SignOut.aspx

These are stable signs of a successful attack (Indicators of Compromise), which you should look out for in your log files. If they occur before a patch, it can be assumed that the attackers have compromised the system.

Campaign-specific IoCs

The attacks observed so far create a webshell called spinstall0.aspx in one of the following paths:

# C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\
# ...\16\TEMPLATE\LAYOUTS\`

This results in HTTP accesses to /_layouts/15/spinstall0.aspx when accessing this webshell. Powershell is then executed via w3wp.exe . This receives Base64-encoded input commands, which can be found in the event log or log files. A file called debug_dev.js with Base64 content is also used. These are the hash sums of the known webshells and scripts:

- 27c45b8ed7b8a7e5fff473b50c24028bd028a9fe8e25e5cea2bf5e676e531014
- 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
- 8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2
- 30955794792a7ce045660bb1e1917eef36f1d5865891b8110bf982382b305b27
- 4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030
- fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7

The attacks originated from the following IP addresses:

- 107.191.58[.]76
- 45.77.155[.]170
- 154.223.19[.]106

You can look for these in log files from firewalls, for example. However, future attacks may rely on other techniques, meaning that these IoCs are only of limited value.

What those affected should do now

Even after the SharePoint patches have been installed, it must be assumed that attackers have been able to gain access to the system. If the attackers' legacies and modifications remain unnoticed, it is likely that they will access the systems again at a later date, for example to encrypt data and blackmail the company. This is what happened in 2020, for example, when admins at Düsseldorf University Hospital patched the so-called Shitrix zero-day vulnerability in their Citrix VPN gateways, but did not notice the backdoor that had already been installed. Some time later, the university hospital was paralyzed by a ransomware attack in which the attackers used this backdoor.

After patching, it must therefore be assumed that systems have already been compromised by attackers. We recommend the following measures to determine whether an attack has actually taken place and perhaps even been successful:

1. Search for the IoCs listed above
2. Compromise analysis with suitable tools such as Yara; we provide suitable Yara rules on Github. You can also use the free Thor Lite, which is included in the current Desinfec't, for example.
3. Remove found webshells
4. Regenerate MachineKeys (ValidationKey, DecryptionKey) according to the Microsoft instructions
5. Change access data – especially for service accounts and administrative users
6. Check IIS logs and event logs for signs of further activity

Microsoft recommends using its own Defender Antivirus to detect webshells, for example. It should be noted that there have been publicly available, generic Yara rules since 2021 that detect the webshells used in this campaign – long before the first advisories were published. Anyone who regularly scans their exposed systems with the open source rules would therefore have received clear indications of a compromise (unlike many antivirus engines, which did not yet recognize the webshells at the time of the first analyses).

Support tools

The following tools help in the search for traces and legacies of the attackers:

• Yara, the generic open source search tool (also included in Desinfec't), matching rules on Github
• Thor Lite (free tool from Nextron, also included in Desinfec't)
• Sigma rules for detecting the activities – can be used in SIEM systems if SharePoint servers are monitored

Sources and further information

At heise security

• Microsoft: Attacks on new SharePoint vulnerability - no patch available yet
• Serious SharePoint vulnerability: 100 organizations already compromised over the weekend
• New version of Sharepoint 2016 fixes toolshell vulnerability

External

• Microsoft Advisory
• Eye Security Analysis
• Censys Analysis
• Palo Alto Networks / Unit42

(vbr)