Zero-Day Vulnerabilities in SharePoint Under Attack Since Early July

📟 News

Date: 25/07/2025

According to cybersecurity specialists, several Chinese hacker groups have been exploiting a chain of zero-day vulnerabilities in Microsoft SharePoint in their attacks. In particular, it has become known that the attackers have compromised the network of the U.S. National Nuclear Security Administration.

ToolShell

The chain of 0-day vulnerabilities in SharePoint has been named ToolShell and was first demonstrated at the Pwn2Own Berlin hacking competition in May 2025. At that event, experts from Viettel Cyber Security combined two flaws (CVE-2025-49706 and CVE-2025-49704) to carry out an RCE attack.

Although in July 2025, Microsoft developers released patches for both ToolShell vulnerabilities, attackers managed to bypass the fixes using new exploits.

As a result, the new vulnerabilities have been assigned the identifiers CVE-2025-53770 (9.8 CVSS score; patch bypass for CVE-2025-49704) and CVE-2025-53771 (6.3 CVSS score; patch bypass for CVE-2025-49706). Just last week, analysts from the company Eye Security warned that these new issues are already being used to attack on-premises SharePoint servers.

As a result, Microsoft developers have already released emergency patches for both RCE issues, re-patching the vulnerabilities in SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016:

  • KB5002754 for Microsoft SharePoint Server 2019 Core and KB5002753 for Microsoft SharePoint Server 2019 Language Pack;
  • KB5002760 for Microsoft SharePoint Enterprise Server 2016 and KB5002759 for Microsoft SharePoint Enterprise Server 2016 Language Pack;
  • KB5002768 for Microsoft SharePoint Subscription Edition.

Furthermore, after applying the patches, Microsoft strongly recommends administrators to perform key rotation. It is also strongly advised to integrate and enable the Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or other similar solutions) for all on-premises SharePoint deployments and configure AMSI in Full Mode.

Attacks

According to numerous reports from experts, dozens of organizations worldwide have already suffered from these attacks. For example, reports on the exploitation of these bugs were published by companies such as Cisco Talos, Censys, Check Point, CrowdStrike, Palo Alto Networks, Qualys, SentinelOne, Tenable, Trend Micro, and others.

Experts at Microsoft report that the recent vulnerabilities have been exploited by Chinese APT groups Linen Typhoon (also known as APT27, Bronze Union, Emissary Panda, Iodine, Lucky Mouse, Red Phoenix, and UNC215), Violet Typhoon (also known as APT31, Bronze Vinewood, Judgement Panda, Red Keres, and Zirconium), and a third Chinese hacking group — Storm-2603. The information about Chinese hackers attacking SharePoint is also corroborated by specialists from Google Cloud’s Mandiant Consulting.

According to experts at Check Point, the first signs of vulnerabilities being exploited were detected as early as July 7, 2025. Attackers targeted dozens of organizations in the government, telecommunications, and IT sectors in countries across North America and Western Europe.

Microsoft has shared the following indicators of compromise (IOC) to help defenders identify compromised SharePoint servers:

  • 199.202[.]205: IP address exploiting SharePoint vulnerabilities;
  • 238.159[.]149: IP address exploiting SharePoint vulnerabilities;
  • 130.206[.]168: IP address exploiting SharePoint vulnerabilities;
  • 226.2[.]6: command and control server used for post-exploitation;
  • aspx: web shell deployed by attackers (variants also include spinstall.aspx, spinstall1.aspx, and spinstall2.aspx);
  • ngrok-free[.]app/file.ps1: Ngrok tunnel used for delivering PowerShell.

Worse yet, this week a proof-of-concept exploit for CVE-2025-53770 appeared on GitHub, leading cybersecurity experts to expect that soon other hacker groups will join in on the attacks against ToolShell.

According to experts from Eye Security, at least 400 servers and 148 organizations worldwide have been affected by ToolShell attacks.

It is also worth noting that today it became known that the National Nuclear Security Administration (NNSA) in the United States has fallen victim to the ToolShell attack. This agency is part of the U.S. Department of Energy, responsible for maintaining the nation’s nuclear weapons stockpile, and addresses nuclear and radiological emergencies both domestically and internationally.

“On Friday, July 18, the exploitation of a zero-day vulnerability in Microsoft SharePoint affected the Department of Energy, including the NNSA,” a spokesperson for the U.S. Department of Energy told Bleeping Computer. “The department was minimally impacted due to the widespread use of Microsoft M365 cloud and robust cybersecurity systems.”

According to Bloomberg, no evidence has yet been found that any confidential or classified information may have been compromised as a result of the attack.

Related posts:
2025.04.16 — Android devices will restart every three days to protect user data

Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…

Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers

Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…

Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…

Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack

Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…

Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals

Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…

Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…

Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks

OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…

Full article →