According to cybersecurity specialists, several Chinese hacker groups have been exploiting a chain of zero-day vulnerabilities in Microsoft SharePoint in their attacks. In particular, it has become known that the attackers have compromised the network of the U.S. National Nuclear Security Administration.
ToolShell
The chain of 0-day vulnerabilities in SharePoint has been named ToolShell and was first demonstrated at the Pwn2Own Berlin hacking competition in May 2025. At that event, experts from Viettel Cyber Security combined two flaws (CVE-2025-49706 and CVE-2025-49704) to carry out an RCE attack.
Although in July 2025, Microsoft developers released patches for both ToolShell vulnerabilities, attackers managed to bypass the fixes using new exploits.
As a result, the new vulnerabilities have been assigned the identifiers CVE-2025-53770 (9.8 CVSS score; patch bypass for CVE-2025-49704) and CVE-2025-53771 (6.3 CVSS score; patch bypass for CVE-2025-49706). Just last week, analysts from the company Eye Security warned that these new issues are already being used to attack on-premises SharePoint servers.
As a result, Microsoft developers have already released emergency patches for both RCE issues, re-patching the vulnerabilities in SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016:
- KB5002754 for Microsoft SharePoint Server 2019 Core and KB5002753 for Microsoft SharePoint Server 2019 Language Pack;
- KB5002760 for Microsoft SharePoint Enterprise Server 2016 and KB5002759 for Microsoft SharePoint Enterprise Server 2016 Language Pack;
- KB5002768 for Microsoft SharePoint Subscription Edition.
Furthermore, after applying the patches, Microsoft strongly recommends administrators to perform key rotation. It is also strongly advised to integrate and enable the Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or other similar solutions) for all on-premises SharePoint deployments and configure AMSI in Full Mode.
Attacks
According to numerous reports from experts, dozens of organizations worldwide have already suffered from these attacks. For example, reports on the exploitation of these bugs were published by companies such as Cisco Talos, Censys, Check Point, CrowdStrike, Palo Alto Networks, Qualys, SentinelOne, Tenable, Trend Micro, and others.
Experts at Microsoft report that the recent vulnerabilities have been exploited by Chinese APT groups Linen Typhoon (also known as APT27, Bronze Union, Emissary Panda, Iodine, Lucky Mouse, Red Phoenix, and UNC215), Violet Typhoon (also known as APT31, Bronze Vinewood, Judgement Panda, Red Keres, and Zirconium), and a third Chinese hacking group — Storm-2603. The information about Chinese hackers attacking SharePoint is also corroborated by specialists from Google Cloud’s Mandiant Consulting.
According to experts at Check Point, the first signs of vulnerabilities being exploited were detected as early as July 7, 2025. Attackers targeted dozens of organizations in the government, telecommunications, and IT sectors in countries across North America and Western Europe.
Microsoft has shared the following indicators of compromise (IOC) to help defenders identify compromised SharePoint servers:
- 199.202[.]205: IP address exploiting SharePoint vulnerabilities;
- 238.159[.]149: IP address exploiting SharePoint vulnerabilities;
- 130.206[.]168: IP address exploiting SharePoint vulnerabilities;
- 226.2[.]6: command and control server used for post-exploitation;
- aspx: web shell deployed by attackers (variants also include spinstall.aspx, spinstall1.aspx, and spinstall2.aspx);
- ngrok-free[.]app/file.ps1: Ngrok tunnel used for delivering PowerShell.
Worse yet, this week a proof-of-concept exploit for CVE-2025-53770 appeared on GitHub, leading cybersecurity experts to expect that soon other hacker groups will join in on the attacks against ToolShell.
According to experts from Eye Security, at least 400 servers and 148 organizations worldwide have been affected by ToolShell attacks.
It is also worth noting that today it became known that the National Nuclear Security Administration (NNSA) in the United States has fallen victim to the ToolShell attack. This agency is part of the U.S. Department of Energy, responsible for maintaining the nation’s nuclear weapons stockpile, and addresses nuclear and radiological emergencies both domestically and internationally.
“On Friday, July 18, the exploitation of a zero-day vulnerability in Microsoft SharePoint affected the Department of Energy, including the NNSA,” a spokesperson for the U.S. Department of Energy told Bleeping Computer. “The department was minimally impacted due to the widespread use of Microsoft M365 cloud and robust cybersecurity systems.”
According to Bloomberg, no evidence has yet been found that any confidential or classified information may have been compromised as a result of the attack.