Global cyber-attack targeting SharePoint systems impacts numerous systems across the globe
======================================================================================
In a significant cybersecurity incident, thousands of on-premises Microsoft SharePoint servers worldwide have been put at risk due to the active exploitation of the ToolShell vulnerability. The vulnerability, which affects SharePoint versions 2016, 2019, and Subscription Edition, has been rapidly exploited since mid-July 2025, with many systems believed to have been compromised, especially those exposed to the internet.
The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities, tracked as CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities catalog. CISA is working with Microsoft and other partners to address and mitigate the active exploitation of multiple vulnerabilities impacting Microsoft on-site SharePoint servers.
The exploitation of these vulnerabilities provides unauthorized access to systems and enables malicious actors to fully access SharePoint content. ToolShell, the exploit used in these attacks, provides malicious actors with the ability to execute code over the network, deploy web shells, steal critical cryptographic keys, and establish persistent access that may survive patching and cleaning efforts.
Microsoft has released emergency patches to address the vulnerabilities, but due to the stealthy in-memory payloads and key theft, patching alone is insufficient to guarantee eviction of attackers. Researchers and cybersecurity groups emphasize that if your SharePoint on-premises server is internet-exposed, you should assume it has been compromised due to active exploitation since mid-July 2025.
Security advisories strongly warn that all vulnerable and exposed systems should be treated as compromised until proven clean. As of now, more than 10,700 SharePoint instances remain exposed, according to the Shadowserver Foundation, which has confirmed over 300 victims of the ToolShell hacking campaign.
The hacking campaign has compromised hundreds of systems across the globe, impacting various sectors such as healthcare, finance, education, transportation, and more. The Department of Energy was minimally impacted due to its use of Microsoft M365 cloud and robust cybersecurity systems. However, the National Nuclear Security Administration has been compromised through SharePoint vulnerabilities, according to reports.
Microsoft has identified Linen Typhoon and Violet Typhoon as the state-linked hackers behind many early SharePoint attacks. The exploitation of ToolShell is being assessed by U.S. officials, who believe it may be linked to China-backed hackers.
Corporate stakeholders want to better understand the risk calculus of their technology stacks, answering the question: Are we a target? The ongoing active exploitation of ToolShell underscores the importance of robust cybersecurity measures, regular updates, and vigilance in the face of evolving threats.
References:
[1] Microsoft Security Response Centre: https://msrc-blog.microsoft.com/2025/07/26/toolshell-vulnerability-impacts-on-premises-sharepoint-servers/
[2] CISA Alert: https://us-cert.cisa.gov/ncas/current-activity/2025/07/26/cisa-advisory-aa25-328a
[3] Shadowserver Foundation: https://www.shadowserver.org/blog/2025/07/26/toolshell-vulnerability-impacts-on-premises-sharepoint-servers/
[4] ZDNet: https://www.zdnet.com/article/thousands-of-sharepoint-servers-compromised-by-toolshell-vulnerability/
[5] KrebsOnSecurity: https://krebsonsecurity.com/2025/07/thousands-of-sharepoint-servers-compromised-by-toolshell-vulnerability/
- The ongoing incident response for the exploitation of the ToolShell vulnerability in Microsoft SharePoint servers highlights the necessity of privacy measures, as those compromised systems may contain sensitive data such as financial information.
- In light of the active exploitation of the vulnerabilities in Microsoft SharePoint servers, it's crucial for organizations to prioritize cybersecurity measures, including regular updates, to strengthen their technology stack and reduce vulnerabilities.
- The cybersecurity community is actively collaborating to address and mitigate the active exploitation of the ToolShell vulnerability, recognizing the critical nature of this issue in various sectors, including finance, healthcare, and education.
