According to cybersecurity specialists, several Chinese hacker groups have been exploiting a chain of zero-day vulnerabilities in Microsoft SharePoint in their attacks. In particular, it has become known that the attackers have compromised the network of the U.S. National Nuclear Security Administration.
ToolShell
The chain of 0-day vulnerabilities in SharePoint has been named ToolShell and was first demonstrated at the Pwn2Own Berlin hacking competition in May 2025. At that event, experts from Viettel Cyber Security combined two flaws (CVE-2025-49706 and CVE-2025-49704) to carry out an RCE attack.
Although in July 2025, Microsoft developers released patches for both ToolShell vulnerabilities, attackers managed to bypass the fixes using new exploits.
As a result, the new vulnerabilities have been assigned the identifiers CVE-2025-53770 (9.8 CVSS score; patch bypass for CVE-2025-49704) and CVE-2025-53771 (6.3 CVSS score; patch bypass for CVE-2025-49706). Just last week, analysts from the company Eye Security warned that these new issues are already being used to attack on-premises SharePoint servers.
As a result, Microsoft developers have already released emergency patches for both RCE issues, re-patching the vulnerabilities in SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016:
- KB5002754 for Microsoft SharePoint Server 2019 Core and KB5002753 for Microsoft SharePoint Server 2019 Language Pack;
- KB5002760 for Microsoft SharePoint Enterprise Server 2016 and KB5002759 for Microsoft SharePoint Enterprise Server 2016 Language Pack;
- KB5002768 for Microsoft SharePoint Subscription Edition.
Furthermore, after applying the patches, Microsoft strongly recommends administrators to perform key rotation. It is also strongly advised to integrate and enable the Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or other similar solutions) for all on-premises SharePoint deployments and configure AMSI in Full Mode.
Attacks
According to numerous reports from experts, dozens of organizations worldwide have already suffered from these attacks. For example, reports on the exploitation of these bugs were published by companies such as Cisco Talos, Censys, Check Point, CrowdStrike, Palo Alto Networks, Qualys, SentinelOne, Tenable, Trend Micro, and others.
Experts at Microsoft report that the recent vulnerabilities have been exploited by Chinese APT groups Linen Typhoon (also known as APT27, Bronze Union, Emissary Panda, Iodine, Lucky Mouse, Red Phoenix, and UNC215), Violet Typhoon (also known as APT31, Bronze Vinewood, Judgement Panda, Red Keres, and Zirconium), and a third Chinese hacking group — Storm-2603. The information about Chinese hackers attacking SharePoint is also corroborated by specialists from Google Cloud’s Mandiant Consulting.
According to experts at Check Point, the first signs of vulnerabilities being exploited were detected as early as July 7, 2025. Attackers targeted dozens of organizations in the government, telecommunications, and IT sectors in countries across North America and Western Europe.
Microsoft has shared the following indicators of compromise (IOC) to help defenders identify compromised SharePoint servers:
- 199.202[.]205: IP address exploiting SharePoint vulnerabilities;
- 238.159[.]149: IP address exploiting SharePoint vulnerabilities;
- 130.206[.]168: IP address exploiting SharePoint vulnerabilities;
- 226.2[.]6: command and control server used for post-exploitation;
- aspx: web shell deployed by attackers (variants also include spinstall.aspx, spinstall1.aspx, and spinstall2.aspx);
- ngrok-free[.]app/file.ps1: Ngrok tunnel used for delivering PowerShell.
Worse yet, this week a proof-of-concept exploit for CVE-2025-53770 appeared on GitHub, leading cybersecurity experts to expect that soon other hacker groups will join in on the attacks against ToolShell.
According to experts from Eye Security, at least 400 servers and 148 organizations worldwide have been affected by ToolShell attacks.
It is also worth noting that today it became known that the National Nuclear Security Administration (NNSA) in the United States has fallen victim to the ToolShell attack. This agency is part of the U.S. Department of Energy, responsible for maintaining the nation’s nuclear weapons stockpile, and addresses nuclear and radiological emergencies both domestically and internationally.
“On Friday, July 18, the exploitation of a zero-day vulnerability in Microsoft SharePoint affected the Department of Energy, including the NNSA,” a spokesperson for the U.S. Department of Energy told Bleeping Computer. “The department was minimally impacted due to the widespread use of Microsoft M365 cloud and robust cybersecurity systems.”
According to Bloomberg, no evidence has yet been found that any confidential or classified information may have been compromised as a result of the attack.
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →