ToolShell: From Pwn2Own Demo to the Worst SharePoint Zero-Day in History

ToolShell is a critical SharePoint vulnerability chain (multiple CVEs) that allowed unauthenticated HTTP POST exploitation to achieve RCE and steal ASP.NET machine keys, enabling persistent forged ViewState access; it was demonstrated at Pwn2Own and rapidly weaponized in the wild by Chinese-linked groups, leading to mass compromise (400+ organizations) and ransomware deployments (Warlock, 4L4MD4R). The report provides a detailed timeline, technical analysis of the exploit chain (auth bypass via Referer/path traversal, .NET deserialization using ExpandedWrapper and TypeConfuseDelegate), IOCs, and prescriptive remediation (patch, rotate machine keys, restart IIS, hunt for compromise).