According to Kaspersky statistics, the attackers targeted servers around the world in Egypt, Jordan, Russia, Vietnam and Zambia.

During the analysis, Kaspersky found a backup of POST requests identified as containing malicious payloads used in attacks, sending a single request to the affected SharePoint installation server was sufficient to execute the malicious payoff there.

Kaspersky analysis of the vulnerability shows it relies on the vulnerabilities that were remedied in CVE – 2025-49704 and CVZ -2020-40706 in the July 2015 Patch Tuesday patch, but just by changing one byte in the request, researchers were able to bypass this patch.

Hole Mining

Kaspersky research started by analyzing a POST request related to this wave of attacks on servers SharePoint.

On Fig. 1, it can be seen that this POST request targets the endpoint “/_layouts/15/ToolPane.aspx” and embeds two parameters: “MSOtlPn_Uri” and “The MSOttlP n_DWP”. When testing the code of ToolPane[.]aspx, the file itself does not contain many functions and most of its code is in the ToolPan class of Microsoft’s namespace [.]SharePoint[.}WebPartPages in Microsoft[.7].

When analyzing this layer, the code works with the two parameters contained in the vulnerability. However, accessing this endpoint under normal conditions is not possible without bypassing authentication on the compromised SharePoint server. This was when the first Microsoft SharePoint Server spoof CVE-2025-49706 came into effect.

CVE-2025-49706

The vulnerability is in Microsoft’s PostAuthenticateRequestHandler [.]SharePoint[.]dll. SharePoint requires that Internet Information Services (IIS) be configured in built-in mode. In this mode, the IIS and ASP.NET authentication stages are merged. Consequently, IIS authentication results were not determined until the PostAuthenticateRequest stage, at which time both the ASP.NET and I IS authentication methods were completed. Therefore, the PostAuthenticateRequestHandler method uses a series of flags to track latent authentication breaches. A logical error in this method allows for a authentication bypass if the “Referrer” heading of the HTTP request is set by the value “/ layouts/SignOut.aspx”, “/ laidouts/14/signOut,aspx “, or “/ bedouts/20/sign01/sign15/sign01.asp x”.

In Figure 2, the code handles the logout request and is also activated when the log out page is designated as the recommend page. When flag6 is set to false and flag7 to true, both conditional branches capable of causing an “Unauthorized Access” exception are bypassed.

On July 8, 2025, Microsoft released an update that addresses this security vulnerability by introducing additional testing measures to detect the use of the “ToolPane.aspx” endpoint with the sign – out page designated as the recommend page.

The Supplementary Checksum uses a case- and subscript-discriminatory comparison to verify if the requested path ends in “ToolPane[.]aspx”. Is it possible to bypass this test using a different endpoint? Kaspersky testing has shown that this test can be easily bypassed.

CVE-2025-53771

Kaspersky succeeded in bypassing the patch for the CVE – 2025-49706 vulnerability by adding only one byte to the POST request during the deployment test. To bypass, researchers simply add the “/” at the end of the requested “ToolPane[.]aspx” link.

On July 20, 2025, Microsoft released an update to fix this bypass vulnerability (CVE -202 5 – 53771). The patch replaced the “ToolPane[.]aspx” check command to check if the requested path is in the list of paths allowed to be used with the exit site as the referral link.

This permission list includes the following paths: “/ layouts/15/SignOut.aspx”, “/ bedouts/ 15/1033/initstrings.js”,”/ layout/1 5/initi.js “,” “/layouts/20/theming.js,”, and “/ScriptResource.axd”, the “/ laidouts/30/blank.js”, The “/scriptRresource.xd” and “WebResources.ax

When examining the bypass of CVE – 2025-49706 with the July 8 update installed on Kaspersky’s SharePoint debug platform, researchers noticed some strange behavior. Not only did the CVE-2025-49706 bypass succeed, so did the entire mining chain. However, the question is, didn’t the attacker add another Microsoft SharePoint remote code execution vulnerability, CVE-2025-49704, which is believed to have been fixed in the same update? To understand why the entire mining chain was successful in this case, let’s consider the CVE-2025-49704 gap and how it was overcome.

CVE-2025-49704

CVE-2025-49704 is an unreliable data sequential decomposition vulnerability that exists due to improper XML content authentication. When considering the mining POST requirement, researchers say, the requirement contains two URL-encoded parameters: “MSOtlPn_Uri” and “MsOtIPn _DWP”. It is possible to check how these are handled by checking the code of the GetPartPreviewAndPropertiesFromMarkup method in Microsoft.SharePoint.dll.

A quick analysis shows that “MSOtlPn_Uri” is a URL page that can point to any file in the CONTROLTEMPLATES directory, whereas the parameter “MsOtIP n_DWP” contains WebPart markup with a format very similar to XML.

Although this “XML” contained in the “MSOtlPn_DWP” parameter does not contain security vulnerabilities, it allows an attacker to initialize the ExcelDataSet control from Microsoft[.]PerformancePoint[,]Scorecards[,,]Client[.,]dll with the CompressedDataTable attribute set to a malicious payload, while triggering the processing using the DataTable property getter.

When reviewing the code of ExcelDataSet’s DataTable attribute getter method in Microsoft[.]PerformancePoint[.”Scorecards[..]Client[. ]dll, researchers found the GetObjectFromCompressedBase64String method, which is responsible for sequential decoding of CompressedDataTtable attribute content. Data as Base64 sequences are decoded, uncompressed, and transmitted to BinarySerialization[.]Deserialize from Microsoft[.]SharePoint[.}dll.

The attacker uses this method to provide a malicious DataSet whose contents are sequentially resolved as shown in Fig. 9, which contains an XML file with an element of the malicious type “System[.]Collections[.:Generic[..]List`1[[System.Data[.>Services[.|Internal[.}ExpandedWrapper`2[…], System[.+Data<.]Services, Version=4.0.0, Culture=neutral, PublicKeyToken=

In practice, this is not possible, as BinarySerialization[.]Deserialize in Microsoft[,]SharePoint[.,]dll uses a special XmlValidator designed to protect against this technique, by checking the types of all elements present in the provided XML and ensuring that they are in the list of allowed types. However, the vulnerability bypasses this check step by including the ExpandedWrapper object in the list.

Now, to find out why exploit works on Kaspersky SharePoint debug platform, let’s see how to fix this security breach. In the Patch Tuesday patch, Microsoft did not actually fix the bug but only minimized it by adding a new AddExcelDataSetToSafeControls layer to Microsoft’s namespace [.]SharePoint[.]Upgrade. This layer contains new code that modifies web files [.]config and marks Microsoft control [. ]PerformancePoint [..]Scorecards [.,]ExcelDataSet as unsafe.

Since SharePoint does not execute this code itself after installing updates, the only way to achieve security is to manually run configuration upgrades using the Sharepoint Products Configuration Wizard. Notably, the security guidelines for CVE-2025-49704 do not mention the need to take this step, which means that at least some SharePoint administrators may skip it. Meanwhile, anyone who has installed this update but does not implement a manual configuration upgrade is still at risk of attack.

CVE-2025-53770

On July 20, 2025, Microsoft released an update with the vulnerability patch CVE -2024-53770. This patch introduces an updated XmlValidator, which can now accurately authenticate element types in XML, prevent exploitability of the vulnerability without upgrading the configuration, more importantly address the root cause, and prevent exploitation of this vulnerability through controls other than Microsoft[.]PerformancePoint[.7]Scorecards[.6]ExcelDataSet.

CVE-2020-1147

Many researchers familiar with previous SharePoint exploits may feel that the CVE-2025-49704, CVZ-21705, and the exploits used by the attacker are quite similar to the remote.NET Framework, SharePoints Server, and Visual Studio code execution vulnerabilities (CVE – 2020-1147). In fact, if we compare CVE-2020-1147 and CVZ-1025-49704/CVZ2015-53770, it can be seen that they are almost identical. The only difference is in the extraction for the CVE-2025-49704/CVE -203770 vulnerability, the dangerous subject ExpandedWrapper being placed on the list. This makes CVE-2025-53770 patched the CvE-1147 breach.

Although patches for the ToolShell vulnerability are now available for deployment, researchers estimate that this exploit sequence will continue to be exploited by the attacker for a long time. Kaspersky has observed similar situations with other security vulnerabilities, such as ProxyLogon, PrintNightmare, or EternalBlue. Although known for many years, many threat actors continue to use them in attacks to infiltrate unpatched systems.

To be better protected against threats such as ToolShell, organizations should note that the current speed of adoption of security patches is the most important factor when dealing with vulnerabilities. Since these serious security vulnerabilities are often exploited publicly as soon as they are published, it is important to install the patch as soon it is available.