Cyber threats loom over on-site SharePoint servers. According to Microsoft and CISA, attacks are reportedly being initiated against these servers.

Cyber threats loom over on-site SharePoint servers. According to Microsoft and CISA, attacks are reportedly being initiated against these servers.

Critical SharePoint Vulnerabilities Actively Exploited Worldwide

A critical vulnerability in Microsoft's SharePoint, known as ToolShell (CVE-2025-53770), is currently being actively exploited by hackers, posing a significant threat to on-premises SharePoint Server versions 2016, 2019, and Subscription Edition. The related flaw, CVE-2025-53771, also contributes to the exploit.

The Current Situation

These vulnerabilities have been exploited in the wild since at least mid-July 2025, with large-scale attacks reported globally across government, critical infrastructure, universities, and private sectors. Microsoft released emergency security patches on July 19–20, 2025, following an earlier July Patch Tuesday update that was insufficient to fully fix the issue. All users of affected SharePoint versions are advised to apply these out-of-band patches immediately.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2025-53770 in its Known Exploited Vulnerabilities catalog, underscoring the urgency of the situation.

How the Exploit Works

The exploit chain starts with an authentication bypass using CVE-2025-53771, allowing attackers to bypass SharePoint’s authentication controls. This is followed by remote code execution through insecure deserialization (CVE-2025-53770), enabling attackers to run arbitrary code remotely. Finally, attackers deploy web shells that persist through reboots and typical mitigations, enabling ongoing control over compromised servers.

Recommended Mitigations

• Apply Microsoft’s latest security updates for all affected SharePoint on-premises versions as a top priority.
• Immediately rotate any cryptographic keys or credentials stored or accessible on compromised SharePoint servers.
• Enable and enforce security features such as AMSI (Antimalware Scan Interface) to detect malicious scripts.
• Isolate and monitor internet-exposed SharePoint servers to prevent lateral movement and further exploitation.
• Assume compromise if SharePoint was internet-exposed prior to patching and conduct thorough incident response, including checking for web shells or persisted backdoors.

Suspected Threat Actors

Microsoft attributes active exploitation of these vulnerabilities primarily to Chinese nation-state groups named Linen Typhoon and Violet Typhoon. Another Chinese group, Storm-2603, is also linked to ongoing attacks leveraging these flaws. These actors target a wide array of victims globally, including sensitive sectors.

Impact

The exploitation of these vulnerabilities can allow a malicious adversary to gain full access to SharePoint content. More than 1,100 vulnerable servers have been detected, including some belonging to K-12 school districts and universities. Google's Threat Intelligence Group has observed hackers installing Web shells and stealing cryptographic secrets from targeted servers.

The attacks have compromised at least two federal agencies in the U.S., as well as multiple European government agencies and a U.S. energy company, according to The Washington Post.

Response

The Cybersecurity and Infrastructure Security Agency (CISA) has urged all organizations with on-premise Microsoft SharePoint servers to rapidly implement mitigations. Microsoft has also released security updates for CVE-2025-53770 and CVE-2025-53771.

In summary, the ToolShell vulnerabilities represent an urgent security risk for self-hosted SharePoint servers exposed to the internet. Immediate patching combined with strong incident response measures is essential to mitigate active attacks and prevent persistent compromise.

1. The active exploitation of the ToolShell vulnerabilities in SharePoint servers worldwide highlights the importance of privacy and cybersecurity in the digital age.
2. Threat intelligence reports indicate that Chinese nation-state groups, such as Linen Typhoon and Violet Typhoon, are suspected of actively exploiting these vulnerabilities.
3. The exploitation of these vulnerabilities can result in significant privacy breaches, as it allows a malicious adversary to gain full access to SharePoint content, as evidenced by the compromises of federal agencies, European government agencies, and a U.S. energy company.
4. In response to this threat, general-news outlets have been reporting on the cybersecurity implications of these vulnerabilities, emphasizing the need for organizations to prioritize vulnerability management and threat intelligence in their technology infrastructure.

Read also: