A computer attack of global scale has targeted government agencies and companies on at least three continents, exploiting a dangerous Fuck it on Microsoft SharePoint servers installed locally. To report the news was the Washington Postciting some informed researchers. The intrusion vector is a vulnerability known as Toolshella critical defect (marked by the code CVE-2025-53770) which allows the execution of remote code by non -authenticated users. This type of attack, defined “Zero-day” because he uses an unknown weakness at the time of the blow, he has compromise at least 85 servers belonging to 29 organizationssome government other private ones. Microsoft has released a patch only for some versions of the software, while others remain vulnerable. The investigations, coordinated by the IT security agencies of the United States, Canada and Australia, are still ongoing. In the meantime, a race against time has been started to mitigate damage and prevent further intrusions.
Toolshell: the vulnerability that started everything
The heart of the problem lies in Microsoft Sharepoint Servera platform that allows organizations to manage, archive and share documents internally. The foul exploited, classified with a rating score CVSS (Common Vulnerability Scoring System) equal to 9.8 out of 10allows an external user to perform controls within the system even before any type of authentication takes place. This is possible due to a process called unsafe desertizationin which external data, not verified, are interpreted and transformed into software objects. In this case, the vulnerable endpoint has been identified in “ToolPane.aspx“, Hence the name Toolshell to the entire campaign.
Once you have obtained access, the attackers loaded a payload (i.e. a small malicious program) through Powershell – a automation tool widely used by system administrators – to subtract critical information from the server, including the Machinekeyor the keys used to sign and decipher the internal data to the SharePoint server. In particular, these keys allow to manipulate the mechanism called Viewstatea system that stores the “state” of the web page between one request and another. With these keys, hackers are able to create apparently legitimate requests that the system accepts as authentic, thus performing arbitrary code without restrictions.
THE’National Cybersicacy Agencyin an official note, explains:
The attack, which does not require authentication, is conducted through post -type HTTP requests suitably prepared towards the resource. (…) This resource uses a hidden field called __viewstate, used to maintain the state of the page between the various HTTP requests through the serialization of .NET objects. If these data are not adequately signed or validated, an attacker can submit a malicious payload which, once desiarled by the server, allows the execution of arbitrary code on the system concerned.
How serious the situation is
Cybersecurity researchers of the company Eye Securityhave highlighted how much the situation is seriousdrawing up a relationship in which they remarked the following Four critical points.
- The danger is not hypothetical: attackers are able to perform controls remotely on the affected serversby emerging security measures such as authentication to multiple factors or MFA (Multi-Factor Authentication) and the so -called SSO (Single sign-on). Once access, they can display and modify internal content, system files and SharePoint settings, as well as spreading within the Windows network, compromising other connected systems.
- An even more critical aspect concerns the theft of the cryptographic keys used by the server. These elements allow cybercriminals to simulate the identity of legitimate users or services, even if the system has been updated with a patch. For this reason, applying the security update is not enough: it is necessary to replace (rotate) all the cryptographic keys to prevent any tokens or access generated by the attackers remain valid.
- In some cases, malicious actors can persist in the system by inserting hidden access doors (Backdoor) or by changing the software components so that they also resist restarting or updates. Faced with any suspicion of compromise, it is therefore essential to contact professionals specialized in the management of safety accidents.
- Since SharePoint is often integrated with other central services such as Outlook, Teams and OneDrive, one violation can easily extendfacilitating the theft of sensitive data, access credentials and allowing attackers to move within the entire company network.
How to deal with the situation and defend yourself from the hacker attack
Currently, Microsoft has released updates only for part of the interested versionsdeclaring to be at work on additional patches. Meanwhile, system administrators are recommended to update vulnerable products (that is to say Microsoft SharePoint Server Subscription Edition, Microsoft Sharepoint Server 2019 And Microsoft Sharepoint Server 2016) following the official indications provided by Microsoft And Cisa (Cybersecurity Infrastructure Security Agency).
THE’National Cybersicacy Agency Italian also suggests doing the following:
Monitor and block posts requests to toolpane.aspx containing anomalous values in the __viewstate field; verify that the AMSI (antimalware scan interface) safety mechanism is active; proceed with the rotation of the Asp.Net Keys machines.
