A critical zero-day vulnerability in Microsoft's on-premises SharePoint Server has been actively exploited by cybercriminals and nation-state actors, prompting urgent warnings from Microsoft and cybersecurity experts. This flaw, identified as CVE-2025-53770 and CVE-2025-53771, allows unauthorized attackers to execute code and perform spoofing attacks over networks, potentially granting full access to SharePoint file systems and connected services like Teams and OneDrive.
The attacks, collectively referred to as "ToolShell," have primarily targeted legacy SharePoint systems still widely used by institutions such as schools, hospitals, and government agencies—organizations often lacking robust cybersecurity defenses. Microsoft issued a warning over the weekend about ongoing attacks and released a patch on Monday for SharePoint Server 2019 and the Subscription Edition. However, SharePoint Server 2016 remains without a fix, leaving many systems vulnerable.
Despite the release of patches, experts caution that even patched systems may remain compromised if attackers have already gained a foothold, such as by stealing machine keys or implanting backdoors. The full scope of the breach could take weeks or months to understand completely, with predictions of continued waves of SharePoint-targeted hacking activity.
Microsoft has accused Chinese state-sponsored hacking groups—Linen Typhoon, Violet Typhoon, and Storm-2603—of exploiting this vulnerability, targeting entities including corporations, government agencies, and universities worldwide. The attacks were part of a broader, coordinated exploitation campaign first flagged by Eye Security, with victims identified in countries such as Saudi Arabia, Vietnam, and the UAE.
As of July 21, 2025, approximately 100 organizations have been compromised through this zero-day vulnerability, according to Eye Security. The attacks targeted self-managed SharePoint servers, which are popular in both government and business sectors. The affected entities reportedly include industrial firms, banks, healthcare providers, auditors, and government bodies, including some in the U.S. and the U.K.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued technical guidelines to minimize risk, recommending that any servers impacted by the exploit should be disconnected from the internet until they are patched. Experts strongly urge affected organizations to apply the latest patches, disconnect vulnerable servers from the internet, rotate cryptographic materials, and seek professional incident response immediately.
This incident underscores the critical importance of timely software updates and robust cybersecurity measures, especially for organizations relying on legacy systems. The rapid exploitation of this vulnerability highlights the need for continuous vigilance and proactive defense strategies in the face of evolving cyber threats.
Source: The Wall Street Journal https://www.wsj.com/tech/cybersecurity/microsoft-alerts-firms-to-server-software-attack-99f9b036/?gaa_at=eafs&gaa_n=ASWzDAiPsOu8UAS0pIwfPk8ph0wIkTuAwVRSyCSMnDTG5wkzVP0Zr1vC3rNm&gaa_sig=Z08wdKL-07Z9m6bF4r52y8Z6IBUlcOscNdkbjIh6KACffSLem9iUINkTAXpvx0ahrKRup9lzb8NhXzaNyTBzXw%3D%3D&gaa_ts=68801219
