SharePoint Under Siege: Why Microsoft Patches Aren’t Enough and What You Need to Do Now

Over 80% of organizations using on-premises SharePoint servers may still be vulnerable to a critical exploit, despite Microsoft releasing a patch two weeks ago. This isn’t a case of delayed updates; the initial fix was incomplete, leaving a backdoor open for attackers to gain deep access to sensitive data – even bypassing multi-factor authentication. The situation highlights a growing trend: increasingly sophisticated attacks targeting widely-used enterprise software, and the limitations of relying solely on vendor-supplied patches.

The ToolShell Threat: How Attackers Are Gaining Access

The vulnerability, identified as CVE-2025-49706 and CVE-2025-49704, centers around a flaw in SharePoint’s ToolPane functionality. Attackers are exploiting this by sending specially crafted POST requests to upload malicious scripts – often named spinstall0.aspx, spinstall.aspx, or similar variations – to the server. These scripts are designed to retrieve and decrypt the server’s MachineKey configuration, essentially handing attackers the keys to the kingdom.

Once inside, the impact is severe. Attackers aren’t just grabbing data; they’re establishing persistent backdoors, allowing them to maintain access even after systems are ostensibly cleaned. This includes the ability to steal credentials, escalate privileges to administrative levels, and exfiltrate sensitive information. The fact that this can occur despite the presence of MFA and SSO is particularly alarming, demonstrating the attackers’ ability to circumvent common security measures.

Understanding the Attack Chain

The attack unfolds in a series of steps:

1. Initial Infection: Exploitation of the ToolPane vulnerability via malicious POST requests.
2. Webshell Deployment: Upload and execution of a webshell script (e.g., spinstall0.aspx).
3. Credential Theft: Extraction of tokens and credentials from the SharePoint server.
4. Privilege Escalation: Gaining administrative access, bypassing MFA/SSO.
5. Data Exfiltration & Persistence: Stealing sensitive data and deploying additional backdoors.

Beyond Patching: A Multi-Layered Defense

While applying the emergency patch released by Microsoft on Saturday is the critical first step, it’s far from sufficient. The delayed discovery of the incomplete patch underscores the need for proactive threat hunting and continuous monitoring. Simply patching and hoping for the best is no longer a viable security strategy.

Organizations running on-premises SharePoint servers must immediately:

• Verify Patch Application: Confirm the emergency patch has been successfully installed.
• Log Analysis: Thoroughly review system event logs for indicators of compromise (IOCs). Resources from Microsoft, Eye Security (https://eyesec.github.io/malware-analysis/2024/02/03/sharepoint-webshell/), the US Cybersecurity and Information Security Agency (CISA), SentinelOne, Akamai, Tenable, and Palo Alto Networks provide valuable IOC information.
• Webshell Detection: Scan for the presence of suspicious files, particularly those with names like spinstall*.aspx, in the ToolPane directory.
• Token Monitoring: Implement monitoring for unusual token activity and credential usage.

The Future of Enterprise Software Security

This incident is a stark reminder of the evolving threat landscape. We’re seeing a shift towards more targeted attacks exploiting known vulnerabilities in widely-used software. The speed at which attackers are adapting and finding ways around security measures is increasing, and the reliance on reactive patching is becoming increasingly unsustainable.

Looking ahead, several trends are likely to accelerate:

• Increased Attack Surface: The proliferation of cloud services and remote work environments expands the attack surface, creating more opportunities for exploitation.
• Supply Chain Attacks: Attackers will increasingly target software supply chains to compromise multiple organizations simultaneously.
• AI-Powered Attacks: Artificial intelligence will be used to automate attack processes, identify vulnerabilities, and evade detection.
• Zero Trust Architectures: Organizations will need to adopt zero trust security models, which assume that no user or device is inherently trustworthy.

The SharePoint vulnerability isn’t just a Microsoft problem; it’s a symptom of a broader systemic challenge. Organizations must move beyond a reactive security posture and embrace a proactive, layered approach that prioritizes continuous monitoring, threat intelligence, and robust incident response capabilities. What steps is your organization taking to prepare for the next wave of sophisticated attacks? Share your thoughts in the comments below!