Summary
In this post, we break down a critical SharePoint vulnerability that was actively exploited in the wild — and how we detected and blocked it weeks before public disclosure. By analyzing malicious requests to endpoints like /_layouts/15/toolpane.aspx, our systems identified the exploit in May 2025, well before Microsoft’s advisory was released on July 8th. This case highlights the power of proactive detection and why it’s core to everything we do at AST.
Understanding the Exploit
The exploit we observed in-the-wild in early 2025 leveraged a vulnerability within Microsoft SharePoint’s internal page handling — specifically targeting components accessible via the /_layouts/ virtual directory and the toolpane.aspx page.
These endpoints are part of SharePoint’s core structure and are responsible for rendering configuration panels and internal web parts for site editors and administrators. Under certain conditions, attackers were able to abuse these endpoints to gain elevated privileges without proper authentication.
**/_layouts/15/toolpane.aspx**- Other internal
_layoutsendpoints handling personalization and user context.
These pages are normally used to configure web parts and site layout, but the vulnerability allowed attackers to manipulate how SharePoint handled user context and permission inheritance during page rendering.
What Made This Exploit Dangerous
- The attack required no user interaction, as the malicious requests were sent directly to the vulnerable endpoints.
- The exploit abused legitimate SharePoint functionality, making it extremely stealthy and hard to detect via conventional security tools.
- Token manipulation or misconfigured access control could allow attackers to impersonate high-privilege users when accessing the
toolpane.aspxlogic.
In many environments, /_layouts/toolpane.aspx was publicly reachable due to misconfigured perimeter security or legacy publishing setups — dramatically increasing exposure.
Timeline of Exploitation Attempts – Before and After Disclosure
Our telemetry began capturing malicious requests targeting SharePoint’s /_layouts/15/toolpane.aspx endpoint as early as May 2025. At the time, the activity was sparse and targeted — indicating limited, possibly manual exploitation by sophisticated actors.
However, throughout June and July, we recorded a steady increase in scanning and exploitation attempts, with a clear spike occurring immediately after July 8th, 2025 — the day Microsoft publicly disclosed the vulnerability and released a security advisory.
Activity in May 2025
Activity in June 2025
Activity in July 2025
The image below shows the malicious requests of this exploit.
Conclusion: Why Proactive Defense Matters More Than Ever
While the broader cybersecurity industry reacted to the SharePoint exploit after its public disclosure on July 8th, our systems had already been detecting — and blocking — exploitation attempts weeks earlier. Thanks to our behavioral analytics, custom detection logic, and continuous monitoring across client environments, we identified the attack pattern back in May 2025, long before any CVE was published or patch was released.
Every client under our protection was fully shielded from the impact of this vulnerability, with mitigation measures automatically applied through our detection engine and response framework. No data was compromised, no systems were breached — because the threat was stopped before it had the chance to escalate.
This incident highlights what we believe is the future of cybersecurity: proactive, intelligence-driven defense. Waiting for official advisories or relying solely on signature-based detection is no longer enough. Threat actors move fast — often faster than vendors or public disclosures — and the only way to stay ahead is to detect behavior before it becomes a headline.
At AST, this approach isn’t just a feature — it’s our foundation. It’s what sets us apart from traditional security providers. We don’t just react to known threats — we discover them before they’re known.
Leave a Reply