Home maintenance - An untidy workshop bench full of dusty old tools and screws.

Threat Research

Sophos X-Ops sees exploitation across multiple customer estates

On July 18, 2025, Sophos MDR (Managed Detection and Response) analysts observed an influx of malicious activity targeting on-premises SharePoint instances, including malicious PowerShell commands executed across multiple estates. Additional analysis determined these events are likely the result of active, malicious deployment of an exploit known as ‘ToolShell.’

ToolShell collectively refers to the chained exploitation of two SharePoint vulnerabilities, CVE-2025-49704 and CVE-2025-49706. The ToolShell exploit was unveiled at the Pwn2Own event in Berlin in May 2025, and Microsoft released patches for both vulnerabilities in its July Patch Tuesday release.

However, threat actors subsequently developed exploits that appear to bypass these patches, leading to the publication of two new CVE-IDs: CVE-2025-53770 and CVE-2025-53771.

Sophos MDR has contacted all known victims, but with these vulnerabilities under active exploitation we urge users to apply the applicable patches to on-premises SharePoint servers (according to Microsoft, SharePoint Online in Microsoft 365 is not impacted) at the earliest opportunity.

What we’ve seen

The malicious PowerShell commands observed by Sophos MDR drop a malicious aspx file at the following paths on an impacted SharePoint server:

C:PROGRA~1COMMON~1MICROS~1WEBSER~116TEMPLATELAYOUTSspinstall0.aspx    C:progra~1common~1micros~1webser~116templatelayoutsinfo3.aspx

While threat actors may choose to deploy many different tools, in the cases recently observed by Sophos, a webshell known as SharpViewStateShell was deployed and detected as Troj/WebShel-P.

In some cases, the threat actors have attempted to access machine keys by deploying a webshell via PowerShell, which triggers the Sophos protection Access_3b. In the event the machine keys are compromised, it will be necessary to rotate these keys using the guidance provided by Microsoft.

What to do

Customers running on-premises SharePoint instances are advised to apply the official patches from Microsoft and follow the supplied recommendations for mitigation. Users unable to patch for whatever reason should consider taking instances offline temporarily.

Additionally, we recommend that users check for the existence of the files we mentioned above, and if present, remove them. Users should be advised that there may be additional variations that Sophos has not yet observed; this list should not be treated as complete.

What next

Sophos MDR will continue to actively monitor for signs of post-exploitation activity linked to this vulnerability. We will publish updates on this page as further relevant information becomes available.

About the Author

Paul Jaramillo is an extremely passionate, technical, and results-oriented security professional with over 10 years of incident response and 15 years of IT experience. Previously working at Splunk, CrowdStrike, and the US DoE, Paul is currently Director of Threat Hunting & Intelligence at Sophos. He has a long-distinguished record of reducing enterprise risk and guiding organizations to an improved security posture. Some highlights include breaking into a 2-factored VPN as a pen tester, successfully investigating an insider threat case across the globe as a forensic examiner, and hunting and ejecting nation-state adversaries from corporate and government networks.

About the Author

Colin is a Threat Intelligence Analyst for the Sophos Managed Detection and Response (MDR) team, focusing on threat actor identification, incident response and working alongside detection engineers to address emerging threats. In past roles he worked in the financial sector performing internal and external penetration testing.

Jordon Olness

About the Author

Jordon Olness is a threat intelligence analyst with Sophos Managed Detection and Response. His more than seven years in the industry includes roles in cybersecurity operations and threat hunting. In his current role, Jordon has focused on analyzing malware for threat intelligence value and devising new methods of tracking adversary infrastructure. Jordon loves to visit and explore the Rocky Mountains.

Read Similar Articles