According to cybersecurity specialists, several Chinese hacker groups have been exploiting a chain of zero-day vulnerabilities in Microsoft SharePoint in their attacks. In particular, it has become known that the attackers have compromised the network of the U.S. National Nuclear Security Administration.
ToolShell
The chain of 0-day vulnerabilities in SharePoint has been named ToolShell and was first demonstrated at the Pwn2Own Berlin hacking competition in May 2025. At that event, experts from Viettel Cyber Security combined two flaws (CVE-2025-49706 and CVE-2025-49704) to carry out an RCE attack.
Although in July 2025, Microsoft developers released patches for both ToolShell vulnerabilities, attackers managed to bypass the fixes using new exploits.
As a result, the new vulnerabilities have been assigned the identifiers CVE-2025-53770 (9.8 CVSS score; patch bypass for CVE-2025-49704) and CVE-2025-53771 (6.3 CVSS score; patch bypass for CVE-2025-49706). Just last week, analysts from the company Eye Security warned that these new issues are already being used to attack on-premises SharePoint servers.
As a result, Microsoft developers have already released emergency patches for both RCE issues, re-patching the vulnerabilities in SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016:
- KB5002754 for Microsoft SharePoint Server 2019 Core and KB5002753 for Microsoft SharePoint Server 2019 Language Pack;
- KB5002760 for Microsoft SharePoint Enterprise Server 2016 and KB5002759 for Microsoft SharePoint Enterprise Server 2016 Language Pack;
- KB5002768 for Microsoft SharePoint Subscription Edition.
Furthermore, after applying the patches, Microsoft strongly recommends administrators to perform key rotation. It is also strongly advised to integrate and enable the Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or other similar solutions) for all on-premises SharePoint deployments and configure AMSI in Full Mode.
Attacks
According to numerous reports from experts, dozens of organizations worldwide have already suffered from these attacks. For example, reports on the exploitation of these bugs were published by companies such as Cisco Talos, Censys, Check Point, CrowdStrike, Palo Alto Networks, Qualys, SentinelOne, Tenable, Trend Micro, and others.
Experts at Microsoft report that the recent vulnerabilities have been exploited by Chinese APT groups Linen Typhoon (also known as APT27, Bronze Union, Emissary Panda, Iodine, Lucky Mouse, Red Phoenix, and UNC215), Violet Typhoon (also known as APT31, Bronze Vinewood, Judgement Panda, Red Keres, and Zirconium), and a third Chinese hacking group — Storm-2603. The information about Chinese hackers attacking SharePoint is also corroborated by specialists from Google Cloud’s Mandiant Consulting.
According to experts at Check Point, the first signs of vulnerabilities being exploited were detected as early as July 7, 2025. Attackers targeted dozens of organizations in the government, telecommunications, and IT sectors in countries across North America and Western Europe.
Microsoft has shared the following indicators of compromise (IOC) to help defenders identify compromised SharePoint servers:
- 199.202[.]205: IP address exploiting SharePoint vulnerabilities;
- 238.159[.]149: IP address exploiting SharePoint vulnerabilities;
- 130.206[.]168: IP address exploiting SharePoint vulnerabilities;
- 226.2[.]6: command and control server used for post-exploitation;
- aspx: web shell deployed by attackers (variants also include spinstall.aspx, spinstall1.aspx, and spinstall2.aspx);
- ngrok-free[.]app/file.ps1: Ngrok tunnel used for delivering PowerShell.
Worse yet, this week a proof-of-concept exploit for CVE-2025-53770 appeared on GitHub, leading cybersecurity experts to expect that soon other hacker groups will join in on the attacks against ToolShell.
According to experts from Eye Security, at least 400 servers and 148 organizations worldwide have been affected by ToolShell attacks.
It is also worth noting that today it became known that the National Nuclear Security Administration (NNSA) in the United States has fallen victim to the ToolShell attack. This agency is part of the U.S. Department of Energy, responsible for maintaining the nation’s nuclear weapons stockpile, and addresses nuclear and radiological emergencies both domestically and internationally.
“On Friday, July 18, the exploitation of a zero-day vulnerability in Microsoft SharePoint affected the Department of Energy, including the NNSA,” a spokesperson for the U.S. Department of Energy told Bleeping Computer. “The department was minimally impacted due to the widespread use of Microsoft M365 cloud and robust cybersecurity systems.”
According to Bloomberg, no evidence has yet been found that any confidential or classified information may have been compromised as a result of the attack.
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →