Affected Platforms: Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical

FortiGuard Labs is currently tracking multiple threat actors targeting on-premises Microsoft SharePoint servers. This attack leverages a newly identified exploit chain dubbed "ToolShell."

Figure 1: "spinstall0.aspx" exploitation

Probing Action

The following are simple CURL and PowerShell commands used to upload IPConfig information to a remote server.

Figure 3: PowerShell command

GhostWebShell

This ASP.NET web shell is a sophisticated tool designed for remote code execution and persistent access. At its core, it embeds a Base64-encoded ASP.NET page. Upon activation, this embedded page exposes a “?cmd=” parameter, allowing an attacker to pass arbitrary system commands. The shell then dynamically decodes this input and spawns “cmd.exe /c <command>” to execute the supplied instruction.

Figure 4: Base64-encoded content

Figure 5: Decoded content

To maintain stealth and evade detection, especially in precompiled SharePoint environments, the web shell employs several advanced techniques.

It temporarily manipulates internal BuildManager flags using reflection. This allows it to bypass standard application precompilation checks and register a custom VirtualPathProvider. This VirtualPathProvider is key to its fileless-style operation, enabling the injection of the malicious page from memory or a non-standard location.

The injected page is then served under a seemingly legitimate SharePoint path, such as “/_layouts/15/ghostfile<random number>.aspx.” After executing the command via Server.Execute() and rendering the output, the web shell diligently restores the original BuildManager flags to minimize its footprint. Furthermore, it only surfaces exceptions within a custom Errors HTTP header, avoiding obvious error messages in the response body.

In essence, the web shell “GhostWebShell” is a lightweight, memory-resident command shell that expertly abuses SharePoint and ASP.NET internals for persistence, execution, and advanced evasion, making it a formidable tool for post-exploitation.

KeySiphon

It first grabs the current “HttpContext,” clears pending server errors and response buffers, and quietly prepares a clean reply to avoid drawing attention. It then builds a plaintext reconnaissance report. Using “System.Environment,” it fingerprints the host: logical drive count and list, machine name, system and working directories, CPU core count, system uptime, user name, operating system, and CLR versions.

Figure 7: Collecting system information

KeySiphon loads “System.Web” at runtime and invokes the private “MachineKeySection.GetApplicationConfig()” method, exposing the application’s validation and decryption keys along with the chosen cryptographic modes. Possessing these secrets allows an attacker to forge authentication tokens, tamper with ViewState MACs for deserialization or data manipulation, and decrypt protected data within the same application domain.

Finally, it writes the entire intelligence bundle to the HTTP response and ends execution with “Response.End(),” ensuring that no legitimate page content follows.

Figure 8: Collect setting

Conclusion

Active exploitation proves that SharePoint remains a high-value target and that attackers can rapidly weaponize flaws to achieve remote code execution. FortiGuard Labs has released an IPS signature and blocked known IOCs. Users should combine rapid patching, layered network and endpoint detection, and rigorous log review to close this window of exposure.

Fortinet Protections

The malware described in this report is detected and blocked by FortiGuard Antivirus as:

MSIL/Agent.NEM!tr
MSIL/Agent.EME!tr
HTML/MalWebshell.C434!tr
HTML/Webshell.231A!tr

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.

FortiGuard Labs provides an IPS signature against this attack:

MS.SharePoint.ToolShell.Remote.Code.Execution

We also suggest that organizations consider completing Fortinet’s free training module, Fortinet Certified Fundamentals (FCF) in Cybersecurity. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

IP

157[.]245[.]126[.]186
159[.]203[.]88[.]182
146[.]190[.]224[.]250
203[.]160[.]80[.]77
203[.]160[.]86[.]111
205[.]198[.]84[.]197
159[.]89[.]10[.]213
165[.]232[.]162[.]99
185[.]169[.]0[.]111
146[.]70[.]41[.]178
165[.]154[.]196[.]91

File

10e01ce96889c7b4366cfa1e7d99759e4e2b6e5dfe378087d9e836b7278abfb6
7e3fff35ef909c556bdf6d9a63f0403718bf09fecf4e03037238176e86cf4e98
0548fad567c22ccf19031671f7ec1f53b735abf93dc11245bc9ea4dfd463fe40
3adbebbc2093615bb9210bfdb8ebb0841c62426bee8820f86ff0a64d15206041