ExtraHop named a Leader in the 2025 Forrester Wave™: Network Analysis And Visibility Solutions

ExtraHop Logo
Search
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

Microsoft SharePoint ToolShell Exploit Attempt

Risk Factors

These vulnerabilities have been exploited by threat actors, and multiple PoC exploits are publicly available. An unauthenticated attacker can bypass authentication, achieve remote code execution (RCE), and maintain persistent access to the server, which allows the attacker to launch further attacks on the network.

Kill Chain

Exploitation
Detection diagram
Next in Exploitation: MobileIron Core and Connector Exploit Attempt - CVE-2020-15505

Attack Background

The ToolShell exploit chain includes an authentication bypass vulnerability (CVE-2025-49706 or CVE-2025-53771) paired with a deserialization of untrusted data vulnerability (CVE-2025-49704 or CVE-2025-53770). An attacker sends an HTTP POST request with untrusted data to a vulnerable ToolPane.aspx endpoint. This endpoint deserializes the object passed in the POST request and runs malicious commands when the request is either authenticated or chained with an exploit of CVE-2025-49706 or CVE-2025-53771 to spoof the authentication. The attacker can attempt to install a malicious file that steals encryption keys, allowing the attacker to forge valid authentication tokens and later establish persistence or deploy malware.

Mitigation Options

Install relevant patches for affected versions

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right