Hackers Exploiting Microsoft Flaw to Attack Governments, Businesses
Microsoft and security experts are urging organizations to update their on-premises SharePoint servers to fix two zero-day vulnerabilities that threat actors reportedly have begun to exploit to launch attacks on governments, universities and businesses around the world.
The attacks using the vulnerability chain – now tracked as CVE-2025-53770 and CVE-2025-53771 and dubbed “ToolShell” – started July 18 and continued into the next day, according to threat researchers with Eye Security, a firm in the Netherlands which first wrote about the attacks over the weekend.
Microsoft issued an urgent alert July 19 that it is “aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update,” adding that cloud-based SharePoint Online is not vulnerable to the security flaws.
The IT giant, early Monday in an update, said it has released security updates that fully protect organizations using SharePoint Subscription Edition and SharePoint 2019 and that it is working on an update for SharePoint 2016. The new updates, along with those issued earlier this month, should be immediately applied, the vendor wrote.
Charles Carmakal, CTO for Google Cloud’s Mandiant consulting department, wrote in a LinkedIn post that the “threat campaign is active and evolving,” adding that “if your organization has on-premises Microsoft SharePoint that’s exposed to the internet, you have urgent homework to do. This isn’t an ‘apply the patch and you’re done’ situation. Organizations need to implement mitigations right away (and the patch when available), assume compromise, investigate whether the system was compromised before the patch/mitigation, and take remediation actions.”
Ongoing Attacks
Eye Security and other organizations are noting the ongoing attacks exploiting the vulnerabilities. The Eye researchers wrote in their report that before the security flaws were widely known – cybersecurity vendor Code White researchers wrote earlier last week that they had reproduced the ToolShell unauthenticated vulnerability chain – they had scanned more than 8,000 SharePoint servers around the world and found “dozens of systems actively compromised during two waves of attack, on 18th of July … and 19th of July.”
Palo Alto Networks’ Unit 42 threat intelligence team wrote that it was seeing the vulnerability chain being actively exploited globally, noting that “these flaws allow unauthenticated attackers to access restricted functionality. When chained together, they enable arbitrary command execution on vulnerable SharePoint servers.”
Isabelle Meyer, co-founder and CEO of Zendata Cybersecurity, wrote that her company is helping customers assess their exposure to the threat, implement mitigations, and investigate possible compromises.
More Than Just Patching
“This isn’t just about patching: it’s about proactive detection, response, and hardening,” Meyer wrote in a response to Carmakal’s LinkedIn post. “If you are not able to protect your SharePoint on-prem, you probably should not operate SharePoint on-prem. If your on-prem SharePoint is exposed to the internet, act now: mitigate, monitor, and assume compromise until proven otherwise.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added ToolShell to its Known Exploited Vulnerabilities Catalog, noting in another release that the remote code execution (RCE) threat “provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.”
Eye researchers said the vulnerability chain lets attackers gain control of servers without authentication, adding that the “risk is not theoretical.” They can remotely execute code and bypass verification protections like multifactor authentication (MFA) and single sign-on (SSO). Once in the server, they have access to all SharePoint content, system files, and configurations, and can move laterally throughout the Windows domain.
Stolen Cryptographic Keys
“More concerning is the theft of cryptographic keys,” they wrote. “These keys allow attackers to impersonate users or services, even after the server is patched. So patching alone does not solve the issue; you need to rotate the cryptographic material, allowing all future IIS tokens that can be created by the malicious actor to become invalid.”
Hackers also can maintain persistence in the system by using backdoors or modifying components that can stay in place even after system reboots and updates.
“Because SharePoint often connects to core services like Outlook, Teams, and OneDrive, a breach can quickly lead to data theft, password harvesting, and lateral movement across the network,” the researchers wrote. “This is a rapidly evolving, targeted exploit. Organizations with unpatched SharePoint servers should not wait for a fix. They should assess for compromise immediately and respond accordingly.”
The researchers added that the goal behind scanning the huge numbers of SharePoint servers was to determine if the exploit was isolated or systemic.
‘It was Systemic’
“The answer came quickly and decisively: it was systemic,” they wrote. Within hours, we identified more than dozens of separate servers compromised using the exact same payload at the same filepath. In each case, the attacker had planted a shell that leaked sensitive key material, enabling complete remote access.”
According to The Washington Post, hackers already are using ToolShell in attacks on U.S. federal and state agencies, universities, and energy companies. They also have tarted an Asian telecom. U.S. investigators are working with counterparts in Canada and Australia are investigating the incidents.
“Anybody who’s got a hosted SharePoint server has got a problem,” CrowdStrike President Adam Meyer told the news organization. “It’s a significant vulnerability.”
According to the Post report, researchers have seen hackers targeting servers in China and a U.S. state legislature, an energy company in a large state, and several European government agencies. At least two U.S. federal agencies had servers breached.
Look to Hardware Protections
Camellia Chan, founder and CEO of cybersecurity firm X-PHY, said the ToolShell threat is another example of the limitations of trust assumptions in software-based defenses and why there needs to be more adoption of hardware-focused protections. X-PHY offers an AI-powered hardware data security solution.
“It underscores an uncomfortable truth: no amount of patching or perimeter defense can guarantee safety when trust assumptions are baked into software architecture,” Chan said.
Zero-trust frameworks are designed to verify anything or anyone before allowing access to the network, but even then, humans often are left to manage exceptions and complex systems, she said, noting that a multi-layered security posture that includes protections embedded in hardware are more immune to the human factor.
