Worldwide Cyberattack TargetsSharePoint Systems, Affecting Hundreds

Worldwide Cyberattack TargetsSharePoint Systems, Affecting Hundreds

The world is currently facing an active and ongoing global cyberattack, known as the ToolShell hacking campaign. This attack is exploiting multiple zero-day vulnerabilities in on-premises Microsoft SharePoint servers[1][2][4].

The ToolShell exploit chain includes four critical vulnerabilities: CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. These vulnerabilities allow unauthenticated remote code execution (RCE) and authentication bypass on vulnerable SharePoint installations[1][2][4].

The attack was initially disclosed in May 2025 at the Pwn2Own Berlin event. Microsoft issued patches for the initial vulnerabilities in July 2025 (CVE-2025-49704 and CVE-2025-49706). However, attackers rapidly discovered bypasses to these patches, leading to further vulnerability disclosures (CVE-2025-53770 and CVE-2025-53771) and emergency patch releases by Microsoft around July 21, 2025[1][2][4].

Researchers have observed active exploitation beginning around mid-July 2025, including chaining original vulnerabilities with their bypasses to maintain persistent and unauthenticated access[1][2][3]. Over 150 organizations worldwide, including government agencies, critical infrastructure, universities, and private enterprises, have reported compromises[3].

Exploits have been linked to Chinese state-sponsored threat actors such as Linen Typhoon, Violet Typhoon, and Storm-2603. These groups leveraged ToolShell vulnerabilities to deploy ransomware, including Warlock ransomware[1][2][3].

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has rapidly added related CVEs to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching[1][2][4]. Microsoft and security researchers have issued emergency advisories and patches, with continuous updates to address patch bypass techniques[1][2][4].

Cloudflare and other security providers have implemented protective rules and observed high volumes of exploit attempts, signaling a widespread and intense attack campaign[5].

The attack has caused significant risk to critical systems globally. The attackers’ ability to bypass patches and chain vulnerabilities complicates mitigation efforts and shortens the window for defensive response[1][4][5]. The campaign reflects an advanced, persistent threat actor capability combining zero-days, patch reverse engineering, and ransomware deployment, undermining confidence in conventional patch-based defense[1][4][5].

According to reports, more than 10,700 SharePoint instances remain exposed, and the Shadowserver Foundation has confirmed more than 300 victims of the ToolShell hacking campaign[6][7]. The global hacking campaign linked to the ToolShell vulnerability in Microsoft SharePoint has compromised hundreds of systems across the globe[6][7].

In summary, ToolShell is a critical and urgent threat exploiting Microsoft SharePoint servers worldwide, with active exploitation by sophisticated nation-state actors resulting in ransomware incidents and system compromises. Immediate patching and enhanced monitoring of SharePoint servers are strongly advised by Microsoft, CISA, and the cybersecurity community[1][2][3][4][5].

1. The ongoing ToolShell hacking campaign, targeting multiple zero-day vulnerabilities in on-premises Microsoft SharePoint servers, has heightened concerns about privacy, as unauthenticated remote code execution and authentication bypass can lead to sensitive data breaches.
2. The cybersecurity incident response to the ToolShell attack has been accelerated due to its sophistication, with organizations in various sectors, including finance, politics, and general-news, experiencing serious vulnerabilities and potential data loss.
3. The ToolShell exploit, improperly leveraged by Chinese state-sponsored threat actors, demonstrates the vulnerability of technology systems, as the attackers have shown an ability to bypass patches and chain vulnerabilities, making defense and incident response challenging.
4. In light of the ToolShell global cyberattack, it is crucial to strengthen cybersecurity measures, keeping abreast of zero-day vulnerabilities and ongoing cyber threats, to maintain the integrity and privacy of financial and political systems, as well as critical infrastructure and general-news organizations.

Read also: