ToolShell under control, with SharePoint Online

The customers' problem: outdated SharePoint infrastructures that expose business data

The SharePoint ecosystem has been shaken by a global zero-day attack, which takes the name of ToolShell (CVE-2025-5370).

This vulnerability allowed criminal groups to compromise on-premises SharePoint servers around the world, using a simple unauthenticated POST to:

• get remote access;
• install persistent web shells;
• subtract fundamental cryptographic keys.
  ‍

The problem therefore did not concern a single customer, but an entire category of companies still linked to local SharePoint infrastructures. As a result, the official patches were not enough, because, without a timely rotation of ASP.NET machine keys, the attackers could keep access even after the update.

In a flash, many of our customers found themselves dealing with a situation far beyond their reach:

• 85+ organizations had already been affected at the time of public disclosure, a sign of the speed and severity of the attack;
  ‍
• need to manage fragmented infrastructures, often based on mixed versions of SharePoint and legacy environments that are no longer supported;
  ‍
• absence of defense tools capable of counteracting the threat, such as Microsoft Defender for Endpoint, Conditional Access, or AMSI Full Mode;
  ‍
• Uneven updates, which made it difficult to apply emergency patches;
  ‍
• lack of automation for managing cryptographic keys, which allowed attackers to maintain prolonged access to corporate data.
  ‍

In addition, several companies were using previous versions of SharePoint, such as SharePoint 2013 and 2010, which are no longer receiving updates, since they are now out of support.

For these infrastructures, the only solution was to migrate to SharePoint Online.

Despite the confusion generated between companies and IT departments, the ToolShell attack therefore immediately made it clear that the security of SharePoint environments should no longer be based on traditional on-prem models.

SharePoint ToolShell: what it is and how did the accident happen

ToolShell (CVE-2025-53770) is a zero-day vulnerability which recently affected the on-premises versions of SharePoint 2016, 2019 and Subscription Edition, allowing remote code execution without authentication.

The attack then relied on a manipulated request to an internal SharePoint page (ToolPane.aspx), capable of bypassing security controls simulating legitimate access.

Once inside the system, the attacker can:

• load a web shell, or a malicious file that enables remote server control, directly into a system folder;
  ‍
• maintain access even after the patches are installed, unless the security keys are manually regenerated;
  ‍
• steal cryptographic keys used to protect the communications and identity of the users who populate the corporate digital workplace.
  ‍

But what makes ToolShell dangerous is its ability to hit any SharePoint server exposed on the internet, regardless of the configurations set up or any errors on the part of the users.

In practice, all it takes is for the system to be online and out of date to be vulnerable.

The first case of attack was detected on July 7, 2025.

Within a few days, the exploit was published on GitHub and began to spread rapidly.

On July 19, Microsoft confirmed the existence of the attack and assigned official CVEs.

However, emergency patches were released only on July 21, when more than 85 organizations were already compromised.

Our solution: migration to a secure infrastructure, with SharePoint Online

When Microsoft confirmed the existence of ToolShell, our team was already operational. Thanks to an automated response framework and a deep understanding of SharePoint environments, we were able to secure all our customers in less than 24 hours.

Our intervention was divided into several phases, coordinated by a tried and tested emergency playbook:

• Distributing patches using PowerShell Remoting, a technology that has allowed us to remotely update all managed servers, without having to manually intervene on each one;
  ‍
• Immediate rotation of ASP.NET machine keys, that is, the keys that protect the identity of users and the security of corporate communications. If compromised, these keys allow attackers to re-enter the system even after the update;
  ‍
• Complete forensic analysis with Microsoft Defender tools and specialized queries (KQL), to verify that there were no malicious files or suspicious activities on the systems;
  ‍
• Personalized executive briefing for each customer, with a clear report on the state of the infrastructure, residual risks and recommended security actions.
  ‍

However, we did not stop at managing the emergency.

We have transformed the crisis into an opportunity, to accelerate the transition to a more resilient SharePoint environment. We have therefore proposed to each customer a migration path to SharePoint Online, divided into three support phases:

• Assessment and preparation: we map existing contents, analyze dependencies and configure a test environment to simulate migration;
  ‍
• Migration and hardening: we transfer data with certified tools (primarily ShareGate) and activate advanced security features such as multi-factor authentication, data protection (DLP) and access control (through Conditional Access);
  ‍
• Optimization and training: we discontinue local servers and organize workshops to help users familiarize themselves with the new cloud environment.
  ‍

Thanks to the cloud, our customers today operate on a more secure platform, which has led to a 42% reduction on total cost of infrastructure management, with peaks that in some cases have exceeded 90%.

And that was only the first noteworthy result.

We'll talk more about it in the next section.

The results obtained

While we were all in a state of general emergency, Dev4Side was able to provide customers with full and timely protection.

As the number of companies compromised at the time of public disclosure grew, none of the companies we manage have been violated.

This result was possible thanks to a methodical intervention, which made it possible to:

• distribute patches within 2 hours of the official release of Microsoft;
• complete the forensic analysis within 24 hours;
• immediately invalidate the compromised keys;
• provide immediate support, with personalized executive briefings.
  ‍

But other important results have emerged in the medium term. Thanks to the migration path to SharePoint Online, in fact, our customers were able to:

• completely eliminate the attack surface tied to the exposed servers;
• reduce operating costs by an average of 42%, thanks to the adoption of the cloud;
• increase the level of security of the infrastructure underlying the digital workplace;
• simplify governance, centralizing content and identity management in a single platform integrated with Microsoft 365.
  ‍

Let's see the data collected on a typical infrastructure (5 servers, 5,000 users).