Executive Overview
Storm-2603, a state-sponsored or state-affiliated threat actor, began large-scale exploitation of on-premises SharePoint Server 2016, 2019, and Subscription Edition on 18 July 2025, using a serialised payload that abuses the ToolPane.aspx handler to plant a persistent web shell (spinstall0.aspx) and exfiltrate ASP.NET machine keys. A successful compromise enables full system takeover and rapid lateral movement, culminating in the deployment of Warlock ransomware within 60–90 minutes of initial access.
In Europe, attack volumes are highest in the Netherlands, Germany, France, Poland, and Sweden, with affected verticals spanning telecoms, government, higher education, and critical infrastructure.
Business leaders should:
- Schedule immediate installation of Microsoft July 2025 security updates (KB5002768, KB5002754, KB5002753).
- Confirm continuous telemetry coverage for SharePoint IIS (w3wp.exe), PowerShell, and network traffic hitting ToolPane.aspx endpoints.
- Empower SOCs with the detection rules, playbooks, and IOC feeds provided below, while resourcing incident responders to address potential compromises.
Background: The Storm-2603 ToolShell Campaign
Threat Actor Profile
Storm-2603 (a.k.a. Violet Typhoon) is linked to China-state interests and has a record of exploiting server-side deserialization flaws for credential theft and ransomware staging. The group routinely blends web-shell persistence with file-less PowerShell execution, DNS-over-HTTPS C2, and anti-forensic log manipulation.
Vulnerability Synopsis
| CVE | Affected SharePoint Versions | CVSS 4.0 | Description | Weaponised By | Patch KB |
| CVE-2025-53770 | 2016, 2019, Subscription Ed. | 9.8 | .NET deserialization in ToolPane.aspx permits unauthenticated RCE | Storm-2603 | KB5002768 / KB5002754 / KB5002753 |
| CVE-2025-53771 | 2016, 2019, Subscription Ed. | 8.8 | Path traversal enabling arbitrary file write | Storm-2603 | KB5002768 / KB5002754 / KB5002753 |
| CVE-2024-38094 | 2016, 2019 | 8.6 | BDC metadata injection leading to privilege escalation | Copy-cat groups | KB5037781 |
Exploit Chain (ToolShell)
An exploit chain is a sequence of actions or techniques that an attacker uses to breach a system, with each step building upon the previous one to achieve deeper access or more damaging effects. In the context of the ToolShell exploit chain, steps 1-5 illustrate how an attacker methodically bypasses authentication controls, establishes persistence, leverages privilege escalation, and ultimately delivers a devastating ransomware payload:
- Authenticated-bypass POST to /_layouts/15/ToolPane.aspx?DisplayMode=Edit with malicious Referrer: /_layouts/SignOut.aspx header triggers unsafe object deserialization.
- Web-shell drop: spinstall0.aspx uploaded to C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\160.aspx.
- Machine-key exfiltration via custom DLL (IISServerdll.dll) enabling cookie forgery and persistent session hijacking.
- Privilege escalation with w3wp.exe spawning encoded PowerShell to deliver xd.exe reverse proxy and SharpHostInfo.x64.exe reconnaissance tool.
- Ransomware stage: Warlock payload executed, renaming files with .warlock extension and dropping a !README!.txt note.
First, the attacker exploits a deserialization flaw via a crafted POST request, then deploys a web shell for sustained access. Following this, critical cryptographic material is exfiltrated to enable persistent session hijacking. The attacker then escalates privileges using encoded PowerShell commands to deploy additional tools for reconnaissance and reverse proxying. Finally, the attack culminates with the deployment of ransomware, encrypting files and demanding payment, solidifying the impact of the exploit chain.
Proof of Concept
Though no published Proof of Concept (PoC) code exists for the vulnerability at the time of this writing, the Viettel Cyber Security blog post entitled “SharePoint ToolShell – One Request PreAuth RCE Chain” provides a credible, technical breakdown of the ToolShell exploit chain and serves as a key source for detection, hunting, and incident response. It does not, however, distribute or directly link to a PoC exploit script.
The repository https://github.com/testanull/MS-SharePoint-July-Patch-RCE-PoC is a publicly available PoC exploit tool targeting SharePoint vulnerabilities CVE-2024-38094, CVE-2024-38024, and CVE-2024-38023. The tool, created in July 2024 and written entirely in Python, provides the PoC code and a linked PoC demonstration video for further guidance. At this time, there is no indication that this tool can be directly used to exploit the ToolShell vulnerabilities, although the methodology may offer some insight into SharePoint exploitation techniques in general.
Indicators of Compromise
We’ve compiled an extensive list of published IOCs into a downloadable JSON file for your analysis activities: sharepoint_vulnerabilities_iocs.json. The JSON file has its source field populated accordingly, so you can see the attribution for any data row by examining that field. Many of these indicators were contributed by Microsoft and CISA, with supplementary findings by leading commercial security research teams as well as detailed forensic reports and blog analyses. For hashes, filenames, domains, and IP addresses related to the July 2025 Storm-2603 information-stealer/backdoor campaign, all were attributed in the JSON to the Microsoft Security Blog published on 22 July 2025.
- Microsoft– Official Microsoft security advisories and technical threat intelligence.
- CISA – The United States Cybersecurity and Infrastructure Security Agency.
- SentinelOne – Security vendor providing threat research and reporting.
- Rapid7 – Security analytics and internet threat monitoring provider.
- Wiz – Cloud security research and analysis.
- SOCRadar – Threat intelligence and data analytics firm.
- Syskit – Microsoft 365 and SharePoint reporting tool vendor.
- Foresiet – Security intelligence provider.
- Logpoint – Security information and event management (SIEM) vendor.
- Technical Analysis – Based on publicly shared technical research from trusted analysts.
- Multiple sources – Used where several organisations or coordinated disclosures reported the same indicator.
- Microsoft Security Blog (2025-07-22) – For the most recent surge of IOCs, especially those from the post-exploitation investigations around CVE-2024-38094 and associated threats.
Detection & Monitoring Guidance
The following detection and monitoring guidance should help you prepare your infrastructure to detect the potential exploitation of the SharePoint vulnerabilities. Without appropriate logging or signalling enabled, your organisation will be blind to the attack attempts, making it extremely difficult to respond to an incident.
Log Sources to Enable
You can’t see the activity if you’re not logging it. The following guidance should be followed to enable the proper log source configurations for further analysis:
- IIS HTTP logs with full URL & header capture.
- Windows PowerShell Operational log (Event ID 4104).
- Event ID 4104 logs the execution of PowerShell script blocks, which can be commands, functions, or entire scripts.
- Event Tracing for Windows (ETW) Antimalware Scan Interface (AMSI) events for script content.
- Firewall proxy logs to detect outbound update.updatemicfosoft.com traffic over port 443.
SIEM Correlation Rules
With the appropriate logging enabled, we highly recommend utilising a SIEM platform to collect, aggregate, and investigate detected activities. The following are just a few recommendations for some of the more commonly used SIEM platforms.
| Vendor | Query Snippet | Detection Goal |
| Splunk |
index=wineventlog (HttpRequestUri="/_layouts/15/ToolPane.aspx*" OR HttpRequestUri="*/spinstall*.aspx") OR (ProcessName="w3wp.exe" CommandLine="*EncodedCommand*") |
Exploit & web-shell access |
| Microsoft Sentinel |
let timeWindow = 24h;
let scriptExtensions = dynamic([".aspx", ".asmx", ".asax"]);
DeviceFileEvents
| where TimeGenerated > ago(timeWindow)
| where FolderPath has_any (
@"microsoft shared\Web Server Extensions\15\TEMPLATE\LAYOUTS",
@"microsoft shared\Web Server Extensions\16\TEMPLATE\LAYOUTS"
)
| where FileName has_any ("spinstall0", "spinstall", "spinstall1", "spinstall2")
or FileName has_any (scriptExtensions)
| where ActionType == "FileCreated"
| project TimeGenerated, DeviceName, InitiatingProcessFileName,
InitiatingProcessCommandLine, FileName, FolderPath, SHA256
| extend HostCustomEntity = DeviceName, FileHashCustomEntity = SHA256
|
SharePoint Web Shell Creation in LAYOUTS Directory |
| CrowdStrike Falcon |
spinstall*.aspx file I/O |
Host IOC |
| Elastic |
event.dataset == "iis.access" and url.path == "/_layouts/15/ToolPane.aspx" |
Suspicious HTTP |
| IBM QRadar |
URI CONTAINS "ToolPane.aspx" AND REFERER CONTAINS "SignOut.aspx" |
Deserialization trigger |
False-positive Note: Internal SharePoint admin activity may invoke ToolPane.aspx; correlation with anomalous referrer header and PowerShell spawn greatly reduces noise.
Damovo Partner Detection Solutions
The following Damovo partners offer products, platforms, or tools that, when properly deployed and configured, can help detect the active exploitation of the Microsoft SharePoint vulnerabilities.
| Vendor | Product/Solution | Key Detection Indicators | Mitigation Capabilities |
| Cisco | Cisco Secure Email, Cisco Talos Threat Intelligence | Malicious email attachments targeting SharePoint; known ToolShell IoCs in threat feeds | Block malicious emails; provide threat intelligence updates; security advisory notifications |
| Microsoft | Microsoft Defender for Endpoint, Microsoft Defender AV, AMSI | w3wp.exe spawning cmd.exe/powershell.exe; spinstall0.aspx file creation; Base64 encoded PowerShell commands; MachineKey extraction attempts | Isolate compromised endpoints; block malicious processes; quarantine infected files; automatic threat response |
| Extreme Networks | ExtremeAnalytics, ExtremeCloud IQ | Unusual POST requests to /_layouts/15/ToolPane.aspx; abnormal traffic patterns; performance degradation indicators | Network segmentation recommendations; traffic blocking; performance optimization alerts |
| runZero | runZero Asset Discovery and Vulnerability Management | Vulnerable SharePoint server identification; missing security patches; exposed management interfaces; software version tracking | Vulnerability prioritization; patch management tracking; asset inventory updates; exposure risk scoring |
| HPE Aruba | HPE Aruba ClearPass Policy Manager | Failed authentication attempts; unauthorized access to SharePoint resources; policy violations; audit trail anomalies | Policy enforcement; access control; user isolation; compliance monitoring |
| Graylog | Graylog Security, Graylog API Security | SharePoint authentication failures; deserialization errors; suspicious file system changes; unusual PowerShell activity | Real-time alerting; incident response workflows; log retention for forensics; automated threat correlation |
| Forcepoint | Forcepoint DSPM, Forcepoint CASB | Unauthorized SharePoint file access; sensitive data movement; external sharing violations; configuration changes | Data classification; access control enforcement; policy violations blocking; compliance reporting |
| ZScaler | Zscaler Deception, Zscaler Private Access (ZPA) | SharePoint decoy interactions; targeted hostname-based attacks; lateral movement attempts; zero-day exploitation signals | Decoy deployment; user isolation; lateral movement prevention; threat intelligence sharing |
| Palo Alto Networks | Cortex XDR, Unit 42 Managed Threat Hunting | DOT_NET telemetry references to ToolPane.aspx; file writes to layouts directory; Base64 PowerShell execution; ViewState manipulation | Automated threat hunting; incident response; IOC detection; quarantine capabilities |
Mitigation & Patching Guidance
Not every organisation can drop everything and patch servers for a multitude of reasons. The following mitigation guidance and patch guidance should help you put together a staged approach to protecting your organisation.
Mitigation Guidance
The following Damovo partners offer products, platforms, or tools that, when properly deployed and configured, can help block the active exploitation of the Microsoft SharePoint vulnerabilities while you schedule adequate time to patch your servers.
| Vendor | Product / Feature | Action to Stop CVE-2025-53770 / 53771 |
| Cisco | Secure Firewall (ASA/FTD) with Snort IPS | – Update to the latest SRU; enable Snort SIDs 65092 (SharePoint RCE) and 65183 (spinstall0.aspx web-shell) and set them to Drop. – Optionally add an HTTP policy that denies /_layouts/15/ToolPane.aspx from the Internet. |
| Microsoft | SharePoint security update + AMSI + Defender | – Apply July 2025 emergency patches. – Turn on SharePoint’s AMSI Full mode and run Microsoft Defender AV/Endpoint so unauthenticated payloads are scanned in-memory. – Rotate machineKey values and block malicious file download/upload via Safe Attachments. |
| Extreme Networks | ExtremeControl NAC & ExtremeCloud IQ-Site Engine IDS/IPS | – Import the newest IDS library and enable the SharePoint RCE category. – In ExtremeControl, create a Quarantine policy that matches any host issuing ToolPane.aspx traffic and moves it to a restricted VLAN. |
| HPE Aruba | EdgeConnect SD-Branch IDS/IPS & SSE | – Enable the daily IDS/IPS threat library; rules block SharePoint RCE attempts. – Add a stateful-firewall rule denying external POSTs to ToolPane.aspx. – Use dynamic segmentation to ring-fence SharePoint servers. |
| Forcepoint | NGFW (Smart Update) + DLP for SharePoint | – Install the latest SmartUpdate; enable IPS signature HTTP_CSH-Microsoft-Sharepoint-Improper-Authentication-CVE-2025-49706 and set to Block. – Use Forcepoint DLP SharePoint Discovery to scan sites for dropped .aspx web-shells and quarantine them. |
| Zscaler | Advanced Threat Protection, Deception & ZPA | – Cloud signature App.Exploit.CVE-2025-53770 is already live – verify the profile action is Drop. – Deploy SharePoint decoys; if touched, ZPA can isolate the compromised user or workload, blocking lateral movement. |
| Palo Alto Networks | PAN-OS NGFW (Threat-ID 91358) + Cortex XDR | – Update content >= 2025-07-25; Threat-Prevention ID91358 drops ToolShell traffic. – Cortex XDR agent content 1880-20113 blocks post-exploitation PowerShell and flags spinstall0.aspx creation; hunt for devices still exposing the four CVEs. |
Patching Guidance
Apply July 2025 security updates KB5002768 (Subscription), KB5002754 (2019), and KB5002753 (2016) as soon as is feasible by your IT or infrastructure team. As with any patch, we strongly recommend testing the patch on a staging system to ensure compatibility with interconnected systems.
| Environment | Baseline Build | Security KB to Apply | Reboot Required | Patch Tested On |
| SharePoint SE | 16.0.10399.20000 | KB5002768 | Yes | Windows Server 2022 |
| SharePoint 2019 | 16.0.10337.20000 | KB5002754 | Yes | Windows Server 2019 |
| SharePoint 2016 | 16.0.5026.1000 | KB5002753 | Yes | Windows Server 2016 |
Rollback Plan: Snapshot VM before patch; uninstall via Control Panel → Installed Updates if regression occurs.
After applying the latest security updates above (or enabling AMSI), you must rotate SharePoint server ASP.NET machine keys and restart Internet Information Services (IIS) on all SharePoint servers. You can do this manually using PowerShell or using Central Admin: Trigger the Machine Key Rotation timer job:
- Navigate to the Central Administration site.
- Go to Monitoring -> Review job definition.
- Search for Machine Key Rotation Job and select Run Now.
Finally, you must restart IIS on all SharePoint servers using iisreset.exe.
Conclusion & Next Steps
Storm-2603’s weaponisation of the ToolShell vulnerabilities exemplifies the rapid pivot from zero-day disclosure to mass ransomware deployment. Patch urgency, precise detection logic, and rigorous incident response planning are, therefore, non-negotiable for EU entities subject to NIS2 or DORA compliance and operational resilience.
Executives should disseminate this bulletin to their SOC leaders today and mandate an immediate review of SharePoint exposure, telemetry coverage, and patch status. We also strongly suggest that you continue to monitor Microsoft’s “Disrupting active exploitation of on-premises SharePoint vulnerabilities” blog post for updates.
Even when security teams believe they have properly implemented patches and controls, we often find that critical systems remain vulnerable to attack.
Our security experts recommend a comprehensive approach that goes beyond just patching, through thorough validation through offensive security testing and defensive readiness assessments. This dual approach ensures that protective measures are not only installed correctly but also function effectively under real-world conditions.
By combining expert implementation with rigorous validation, organisations can achieve genuine protection rather than false confidence. Our team specialises in both deploying security measures and verifying their effectiveness, providing the assurance that comes from proven, tested defences.
If you have any questions or need assistance mitigating these or other vulnerabilities, please schedule an urgent consultation with Damovo’s security specialists.
