Widespread Exploitation of Microsoft SharePoint ToolShell Vulnerability by Chinese-Linked Threat Actors
Hackers believed to be associated with China have exploited the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint, targeting a broad range of organizations across multiple continents. The vulnerability, which affects on-premise SharePoint servers, was disclosed as an actively exploited zero-day on July 20, 2025, prompting Microsoft to release emergency patches the following day. The flaw is a bypass for previously reported vulnerabilities (CVE-2025-49706 and CVE-2025-49704) and allows remote, unauthenticated attackers to execute code and gain full access to the file system. Multiple Chinese threat groups, including Budworm/Linen Typhoon, Sheathminer/Violet Typhoon, and Storm-2603/Warlock ransomware, have been linked to these attacks. Symantec reported that the ToolShell exploit was used to compromise organizations in the Middle East, South America, the United States, Africa, and Europe, with targets including government agencies, universities, telecommunications providers, and financial institutions. In one case, attackers exploited the vulnerability to plant webshells for persistent access, followed by the deployment of a Go-based backdoor named Zingdoor and the ShadowPad Trojan, both of which facilitate remote command execution and data exfiltration. Storm-2603, a financially motivated group, was observed deploying ransomware such as LockBit Black and WarLock/X2anylock by exploiting the same set of SharePoint vulnerabilities, with major activity noted on July 18, 2025. Their operations targeted organizations in Latin America and the APAC region, using a combination of public-facing application exploits and legitimate tools like PsExec for lateral movement and execution. The attacks highlight the critical risk posed by unpatched SharePoint servers, as attackers were able to gain initial access, establish persistence, and deploy sophisticated malware and ransomware payloads. The campaigns demonstrate a high level of coordination and technical capability, leveraging zero-day exploits and advanced post-exploitation techniques. The breach of the National Nuclear Security Administration’s Kansas City National Security Campus further underscores the severity of these attacks, as foreign actors exploited the same SharePoint vulnerabilities to infiltrate a facility responsible for manufacturing critical components for US nuclear weapons. The incident at the Kansas City plant raised significant concerns about the security of federal IT and OT systems, especially those supporting national security functions. Despite the high-profile nature of the targets, responses from affected organizations and government agencies have been limited, with some declining to comment on the incidents. The rapid release of patches by Microsoft and the subsequent widespread exploitation illustrate the importance of timely vulnerability management and the need for robust security controls around public-facing applications. Security researchers have emphasized the necessity for organizations to validate their defenses against these specific TTPs and to continuously monitor for signs of compromise related to the ToolShell exploit. The attacks serve as a stark reminder of the persistent threat posed by state-linked actors and the critical importance of securing enterprise collaboration platforms like SharePoint.
Timeline
Oct 24, 2025
China-linked actors breach Middle East telecom via patched ToolShell flaw
Security reporting said China-linked hackers exploited a patched ToolShell vulnerability to breach a Middle East telecommunications provider. The incident showed continued post-patch exploitation of SharePoint weaknesses by suspected Chinese operators.
Oct 22, 2025
Chinese-linked espionage activity tied to ToolShell intrusions
Security firms including Symantec and Carbon Black linked many ToolShell intrusions to China-based actors using malware such as Zingdoor, ShadowPad, and KrustyLoader. Microsoft and Resecurity also associated some activity with Chinese groups including Linen Typhoon, Violet Typhoon, and Storm-2603, though attribution remained disputed in some cases.
Oct 22, 2025
Researchers say ToolShell attacks hit at least 400 organizations
By late October 2025, security researchers reported that ToolShell exploitation had affected at least 400 organizations across four continents and multiple sectors. The campaign was tied to mass scanning for vulnerable SharePoint servers followed by targeted compromise.
Oct 20, 2025
DOE says KCNSC breach had minimal impact
The Department of Energy confirmed the KCNSC incident had minimal impact, citing use of Microsoft M365 cloud services and strong cybersecurity controls. Officials said only limited systems were affected.
Oct 20, 2025
Kansas City National Security Campus breached via SharePoint flaws
A foreign threat actor breached the Kansas City National Security Campus, a U.S. nuclear weapons plant managed by Honeywell FM&T for the NNSA, by exploiting unpatched SharePoint vulnerabilities. The intrusion affected a small number of IT systems, with no confirmed classified data loss reported.
Jul 20, 2025
Microsoft releases SharePoint patches for CVE-2025-53770
Microsoft released security updates for all supported on-premises SharePoint versions, including SharePoint Server 2016, to address CVE-2025-53770 after earlier recommending interim mitigations. Security guidance emphasized that patching alone might not be sufficient if servers were already compromised, and urged organizations to investigate for webshells and rotate stolen MachineKeys where needed.
Jul 18, 2025
Threat actors exploit SharePoint ToolShell flaws in global attacks
Multiple threat actors began exploiting Microsoft SharePoint vulnerabilities including CVE-2025-53770 and related flaws to compromise organizations worldwide. Victims spanned governments, telecoms, universities, and enterprises across Africa, South America, the Middle East, Europe, the U.S., Latin America, and APAC.
Jul 18, 2025
Microsoft reports major Storm-2603 campaign
Microsoft reported a major campaign by Storm-2603 on July 18, 2025. The activity involved exploitation of Microsoft SharePoint vulnerabilities and ransomware-related post-exploitation tradecraft.
Jun 1, 2025
Warlock ransomware first observed
Warlock ransomware was first observed in the wild in June 2025. Reporting later suggested it may be linked to a Chinese group and possibly used alongside SharePoint intrusions as cover for data theft.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Affected Products
Sources
1 more from sources like austin larsen blog
Related Stories
ToolShell Exploit Drives Surge in Attacks on Microsoft SharePoint Servers
A significant increase in attacks targeting public-facing applications has been attributed to the exploitation of the ToolShell vulnerability in on-premises Microsoft SharePoint servers. According to Cisco's latest Quarterly Trends report, over 60% of recent Talos Incident Response cases involved attacks on public-facing applications, with nearly 40% specifically linked to ToolShell activity. The surge is tied to two major SharePoint vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which have been actively exploited since mid-July 2025. China-based threat groups Linen Typhoon and Violet Typhoon have been identified as the primary actors behind these campaigns, focusing on sectors such as government, defense, academia, and nonprofits. The majority of incident response engagements related to ToolShell began within ten days of the vulnerabilities' disclosure, underscoring the rapid weaponization and exploitation by threat actors. Security experts warn that unpatched SharePoint servers present a critical risk, enabling attackers to move laterally within networks and potentially deploy ransomware. Cisco emphasizes the importance of robust network segmentation and timely patching to mitigate these threats. The exploitation of ToolShell highlights the ongoing challenges organizations face in defending public-facing applications and the need for proactive vulnerability management to prevent large-scale compromise and operational disruption.
1 months ago
Warlock Ransomware Expands SharePoint Intrusions With Stealthier Post-Exploitation
**Warlock** ransomware operators have continued exploiting unpatched **Microsoft SharePoint** servers, but recent intrusions show a more mature post-exploitation playbook focused on persistence, lateral movement, and evasion after initial access. Trend Micro reported the group is now using a **bring your own vulnerable driver (BYOVD)** technique involving the `Nsec` driver, alongside tools such as **TightVNC** and the **Yuze** reverse proxy, to move more quietly across victim networks and reduce the chance of detection. The activity has affected organizations in the technology, manufacturing, and government sectors, with observed victims in the U.S., Germany, and Russia. Incident details show the operators escalating to **full domain compromise** by abusing credentials, resetting the built-in Administrator account, and adding users to the **Domain Administrators** group. They used **PsExec**, **PowerShell Remoting**, MSI-based deployment of TightVNC, and RDP-enabling utilities to maintain remote access and spread laterally, while web shells, tunneling, and other remote-control mechanisms supported persistence and command-and-control. The reporting indicates Warlock has kept its SharePoint exploitation path consistent, but has significantly strengthened the actions that follow compromise, giving defenders a clearer set of behaviors to hunt for beyond the initial server exploit.
1 months ago
Ransomware and ToolShell Attacks Targeting Public and Private Sectors
Threat actors have increasingly exploited public-facing applications, particularly on-premises Microsoft SharePoint servers, to gain initial access to organizations, with a significant rise in attacks attributed to the ToolShell attack chain. Cisco Talos Incident Response reported that over 60 percent of their recent engagements involved this vector, a sharp increase from the previous quarter, and noted a shift in ransomware activity, with new variants such as Warlock, Babuk, and Kraken observed alongside established families like Qilin and LockBit. The use of open-source DFIR tools like Velociraptor for persistence was also documented, marking a novel tactic in ransomware operations, and some attacks were linked to the China-based group Storm-2603. Ransomware continues to pose a persistent threat, particularly to public sector organizations, with Trustwave reporting nearly 200 government entities worldwide victimized in 2025 alone. Babuk and Qilin have been identified as the most active ransomware groups targeting the public sector, causing significant operational downtime, service outages, and financial losses. The evolving tactics of ransomware actors and the increasing exploitation of vulnerabilities in public-facing applications underscore the need for robust segmentation and rapid incident response measures across both public and private sectors.
1 months ago