Global cyber assault penetrates hundreds of SharePoint systems internationally
A global hacking campaign, exploiting the ToolShell vulnerability in Microsoft SharePoint, has been actively targeting on-premises and self-managed SharePoint servers since mid-July 2025. This campaign, which has rapidly intensified since its inception, poses a significant threat to organizations worldwide.
The exploit chain involves multiple vulnerabilities, primarily CVE-2025-53770 and CVE-2025-53771. Attackers bypass authentication and execute malicious code, gaining full administrative control over affected systems. This allows them to deploy ASPX web shells for persistent access and extract cryptographic keys to forge authenticated payloads, ensuring long-term access.
Approximately 9-13% of cloud environments run vulnerable self-hosted SharePoint instances, with about 6% exposed directly to the internet. This makes them immediate targets. The campaign affects on-premises SharePoint servers worldwide, but specific countries or organizations publicly identified as victims have not been disclosed in the available reports.
The Department of Energy, including the National Nuclear Security Administration, was one of the federal agencies affected by the exploitation of a Microsoft SharePoint zero-day vulnerability on July 18th. However, the Department of Energy was minimally impacted due to its widespread use of the Microsoft M365 cloud and robust cybersecurity systems. All affected systems within the Department of Energy are now being restored.
The Shadowserver Foundation has confirmed more than 300 victims of the hacking campaign, and over 10,700 SharePoint instances remain exposed. CISA is working with Microsoft and other partners to address and mitigate the active exploitation of multiple vulnerabilities impacting Microsoft on-site SharePoint servers.
U.S. officials are continuing to assess the impact of the exploitation, which Microsoft has linked in part to China-backed hackers. Microsoft has identified Linen Typhoon and Violet Typhoon as the state-linked hackers behind many early SharePoint attacks.
CISA has added the two critical vulnerabilities that led to the development of ToolShell, tracked as CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities catalog. Federal officials have also confirmed that CISA is aware of federal agencies and state and local governments that may have been breached.
The hackers did not access sensitive or classified information within the National Nuclear Security Administration. Nevertheless, security teams and incident responders are urging rapid patching and remediation for all affected systems, as patching alone is insufficient as attackers often maintain persistent access.
It's crucial for organizations to stay vigilant and take immediate action to secure their SharePoint environments. This includes applying patches, implementing strong authentication measures, and regularly monitoring for suspicious activities.
[1] Microsoft Security Response Centre Blog: Securing SharePoint against ToolShell exploits [2] Shadowserver Foundation: ToolShell Exploit Chain Analysis [3] CISA Alert: CISA Adds Two Microsoft SharePoint Vulnerabilities to Known Exploited Vulnerabilities Catalog [4] The Hacker News: Microsoft Warns of Active ToolShell Exploits Targeting SharePoint Servers [5] BleepingComputer: ToolShell: A New SharePoint Zero-Day Exploit Being Actively Used in the Wild
- The ongoing global cybersecurity incident, exploiting the ToolShell vulnerability in Microsoft SharePoint, requires immediate attention from incident response teams.
- The exploitation of vulnerabilities like CVE-2025-53770 and CVE-2025-53771, present in the ToolShell, poses a privacy risk for organizations running self-hosted SharePoint instances, especially those exposed directly to the internet.
- The intersection of technology and politics is evident, as U.S. officials are assessing the impact of the ToolShell exploit, which Microsoft has linked to China-backed hackers.
- In the wake of the ToolShell exploit, cybersecurity efforts should not only focus on patching but also on implementing strong authentication measures and regular monitoring for suspicious activities.
