SharePoint 0-Day Vulnerabilities Under Attack Since Early July
Multiple Chinese state-backed hacking groups are actively exploiting a chain of zero-day vulnerabilities in Microsoft SharePoint, according to cybersecurity researchers. Alarmingly, the attackers have reportedly compromised the network of the U.S. National Nuclear Security Administration (NNSA).
ToolShell Exploit Chain: From Pwn2Own to Real-World Attacks
The exploit chain—dubbed ToolShell—was first demonstrated at the Pwn2Own Berlin hacking competition in May 2025. Researchers from Viettel Cyber Security combined two vulnerabilities (CVE-2025-49706 and CVE-2025-49704) to achieve remote code execution (RCE) on vulnerable SharePoint servers.
Although Microsoft released patches in July 2025, attackers have since bypassed the fixes using newly developed exploits. These bypass vulnerabilities were assigned:
- CVE-2025-53770 (CVSS 9.8) – bypass for CVE-2025-49704
- CVE-2025-53771 (CVSS 6.3) – bypass for CVE-2025-49706
Last week, Eye Security reported that these vulnerabilities were already being exploited in the wild against on-premises SharePoint instances.
Emergency Patches and Microsoft Guidance
Microsoft has issued emergency updates for the following editions:
The corresponding KB updates include:
- KB5002754 – SharePoint Server 2019 Core
- KB5002753 – SharePoint Server 2019 Language Pack
- KB5002760 – SharePoint Server 2016 Enterprise
- KB5002759 – SharePoint Server 2016 Language Pack
- KB5002768 – SharePoint Subscription Edition
Microsoft recommends that administrators:
- Rotate encryption keys post-patch
- Enable Antimalware Scan Interface (AMSI) in Full Mode
- Deploy Microsoft Defender Antivirus or a compatible endpoint protection solution
Evidence of Active Exploitation
Numerous security vendors—including Cisco Talos, Check Point, CrowdStrike, Palo Alto Networks, SentinelOne, Tenable, Trend Micro, Qualys, and Censys—have confirmed exploitation of ToolShell vulnerabilities.
Microsoft has attributed the activity to several Chinese advanced persistent threat (APT) groups:
- Linen Typhoon (APT27, Emissary Panda, Bronze Union, Lucky Mouse)
- Violet Typhoon (APT31, Judgement Panda, Red Keres, Zirconium)
- Storm-2603 – a newly identified Chinese threat actor
Mandiant (Google Cloud) has also validated the findings.
Per Check Point, signs of active exploitation date back to July 7, 2025, with observed targets in government, telecom, and IT sectors across North America and Western Europe.
Indicators of Compromise (IOCs)
Microsoft has released IOCs to assist defenders in detecting breaches:
IP addresses:
199.202[.]205238.159[.]149130.206[.]168
Command-and-Control (C2):
226.2[.]6
Artifacts and Web Shells:
spinstall.aspx,spinstall1.aspx,spinstall2.aspx
Payload Delivery:
ngrok-free[.]app/file.ps1(used to deliver PowerShell payloads via Ngrok tunnels)
Furthermore, a working proof-of-concept (PoC) exploit for CVE-2025-53770 was released on GitHub this week, increasing the likelihood of wider adoption by other threat groups.
Global Scope and Impact
According to Eye Security, at least 400 servers and 148 organizations have been compromised globally through the ToolShell exploit chain.
NNSA Breach: U.S. Government Confirms Limited Impact
The most high-profile victim so far is the U.S. National Nuclear Security Administration (NNSA), which oversees America’s nuclear weapons stockpile and emergency response systems.
In a statement to Bleeping Computer, a U.S. Department of Energy (DoE) spokesperson confirmed:
"On Friday, July 18, exploitation of a Microsoft SharePoint zero-day vulnerability impacted the Department of Energy, including the NNSA. The department was minimally affected due to widespread use of Microsoft M365 cloud and robust cybersecurity systems."
According to Bloomberg, no classified or sensitive data appears to have been compromised during the breach.
