A major wave of cyberattacks, referred to as “ToolShell,” has recently targeted Microsoft SharePoint servers around the world. These attacks have been attributed to Chinese state-linked hackers and have affected government agencies, critical infrastructure, universities, and multinational corporations. The campaign exploited a chain of zero-day vulnerabilities in on-premises versions of Microsoft SharePoint, allowing for unauthenticated remote code execution and full system compromise.
Key Details of the Attacks
- Attack Vector:
Exploitation occurred through two linked zero-day vulnerabilities: CVE-2025-53770 and CVE-2025-53771. Attackers bypassed verification, obtaining remote access and control over SharePoint servers. - ToolShell Malware:
Once inside, attackers deployed the ToolShell backdoor, which provided persistent, unauthenticated remote access. They stole cryptographic keys, enabling continued access and impersonation of legitimate users or services—even after patching. - Scope and Impact:
- At least 100 organizations confirmed targeted, including U.S. and European government agencies, energy companies, and universities.
- More than 8,000 vulnerable servers were identified, with dozens confirmed fully compromised in initial attack waves on July 18–19, 2025.
- Cloud-based SharePoint Online was not affected; only customer-managed (on-premises) installations were at risk.
- Attribution:
Multiple sources, including Google’s Mandiant Consulting and researchers at Eye Security, confirmed at least one of the threat actors responsible for early exploitation is linked to China. The attack is ongoing and has attracted interest from a variety of threat actors.
Attack Consequences
- Full System Access:
Attackers gained unrestricted access to: - Persistence after Patch:
Stolen cryptographic keys allowed attackers to maintain access even after SharePoint servers were patched. Experts strongly recommended not only patching but also rotating cryptographic keys and thoroughly investigating for signs of compromise. - Potential for Further Damage:
The ToolShell attacks not only enabled data theft and spying but also laid groundwork for installing additional malware, backdoors, or ransomware in affected environments.
Mitigation and Response
- Patching:
Emergency security updates were released by Microsoft for all supported on-premises SharePoint versions, but patching alone is not sufficient. - Key Rotation:
Organizations were urged to rotate ASP.NET machine keys and restart SharePoint services to block attacker persistence. - Detection & Incident Response:
Proactive system checks are recommended to identify possible compromise, as many intrusions took place before patches were issued. - Official Warnings:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added ToolShell to its Known Exploited Vulnerabilities list and issued alerts for urgent mitigation.
Summary Table: ToolShell Attack Facts
| Aspect | Details |
|---|---|
| Attack Name | ToolShell |
| Initial Exploitation | July 18–19, 2025 |
| Main Vulnerabilities | CVE-2025-53770, CVE-2025-53771 (and related CVEs) |
| Main Targets | On-premises Microsoft SharePoint servers (not SharePoint Online) |
| Notable Victims | U.S./European agencies, universities, energy companies, large multinationals |
| High-Impact Actions | Theft of cryptographic keys, lateral network movement, backdoor installation |
| Attribution | At least one China-nexus threat actor (with more actors joining) |
| Response Recommendations | Patch immediately, rotate keys, conduct forensic investigation, monitor access |
