Microsoft Patches SharePoint Flaws as Hackers Rush to Exploit Them
Microsoft released the last of the security updates designed to protect all vulnerable SharePoint servers against attacks exploiting two zero-day security flaws while threat intelligence teams continue to map the extent of the threat from the “ToolShell” vulnerability chain.
Cybersecurity vendors are reporting a rapid rise in attacks by multiple bad actors – including China-nexus threat groups – leveraging the two critical SharePoint software vulnerabilities since the weekend, though Check Point Research said the flaws have been exploited by hackers since at least July 7.
Microsoft earlier this month partially patched the two vulnerabilities – a remote code execution (RCE) vulnerability tracked as CVE-2025-53770 and a server spoofing flaw (CVE-2025-53771) – before they were widely known, though researchers with security vendor Code White wrote earlier last week that they had reproduced the ToolShell vulnerability chain.
Microsoft said early July 21 that it had released updates to SharePoint Subscription Edition and SharePoint 2019 to protect against the threat and later that night sent out an update for SharePoint 2016. The updates “fully protect” all organizations using on-premises SharePoint servers that were vulnerable. Cloud-based SharePoint servers in Microsoft 365 aren’t affected by the vulnerabilities.
The IT giant urged all customers to immediately patch their vulnerable systems.
“SharePoint security updates are cumulative,” the company wrote in the latest version of its alert. “If you are applying the latest security updates linked here, you do not need to apply the earlier updates; however, both updates for SharePoint 2016 and 2019 provided should be applied.”
Bad Actors Go All In
As Microsoft tries to stem the damage from ToolShell, cybersecurity researchers are trying to gauge what’s going on in the wild. Charles Carmakal, CTO of Google’s Mandiant Consulting, wrote on LinkedIn that the “exploitation was broad and opportunistic. We’re aware of victims in several sectors and global geographies. The activity primarily involved the theft of machine key material, which could be used to access victim environments after the patch has been applied.”
Carmakal wrote that while a Chinese-linked threat group was exploiting the chained security flaws, multiple hackers are actively exploiting ToolShell and that “new threat actors with diverse motivations will continue to exploit these vulnerabilities over time.”
In a report released Tuesday, Microsoft Threat Intelligence researchers said they’ve seen two long-time Chinese nation-state actors – Linen Typhoon and Violet Typhoon – and another China-based group, Storm 2603, exploiting the vulnerabilities. Linen Typhoon has been around since 2012 and is focused on stealing IP, while Violet Typhoon – which emerged in 2015 – is known for cyber-espionage. Meanwhile, Storm-2603 is looking to steal MachineKeys.
According to Check Point researchers, the exploitation of the flaws began three weeks ago, writing that they saw the first signs of the threat July 7, and that “since then, we’ve confirmed dozens of compromise attempts across government, telecommunications, and software sectors in North America and Western Europe.”
Microsoft backed up Check Point’s assertion.
Mixing in Ivanti Threats
In addition, some attackers exploiting the Microsoft flaws are also using known vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) mobile management software in their campaigns, Check Point researchers wrote.
The target of the July 7 attack was a major Western government, and the attacks intensified after July 18 through three IP addresses, one of which is associated with exploitation attempts of the Ivanti EPMM vulnerability chain.
“The attack vector involves a custom webshell that parses parameters from VIEWSTATE payloads, enabling insecure deserialization attacks,” they wrote, noting that the targeted sectors include government agencies, software, and telecoms primarily in North America and Western Europe. “This is yet another case of zero-day SharePoint exploitation being used in targeted attacks against sectors that manage sensitive data and critical systems.”
They added that “threat actors are rapidly leveraging unpatched SharePoint vulnerabilities and chaining exploits like CVE-2025-53770 with older flaws such as CVE-2025-49706 to gain initial access and escalate privileges.”
Attacks are Spreading
Bloomberg, citing unnamed sources, reported that hackers have used the vulnerabilities to break into systems used by national governments in Europe and the Middle East as well as government systems in the United States, including the U.S. Education Department, the Revenue Department in Florida, and the Rhode Island General Assembly.
A number of cybersecurity firms are scanning vulnerable SharePoint servers to determine the extent of the attacks. Eye Security, which first reported on the vulnerability, said it scanned 8,000 such systems around the world. Qualys researchers said a search on the Fofa search engine found more than 200,000 targets.
Some vendors also are trying to exploit the vulnerabilities themselves to determine if a SharePoint server is still vulnerable, Mandiant’s Carmakal wrote.
“There is a lot of noise in logs,” he wrote. “Organizations will likely see multiple discrete sets of activity. Some may be associated with threat actors, some may be security researchers/scanners.”
Cryptographic Keys a Concern
A worry for security vendors is that the vulnerabilities allow bad actors to steal cryptographic keys that let them impersonate users or services, which means they will have continued access to the targeted systems even after reboots and updates.
Austin Larsen, principal threat analyst with Google Threat Intelligence Group, wrote on LinkedIn that bad actors are using the flaws to install webshells and exfiltrate cryptographic MachineKey secrets from targeted servers.
“The theft of the MachineKey is critical because it allows attackers persistent, unauthenticated access that can bypass future patching,” Larsen wrote. “Organizations with vulnerable, public-facing SharePoint instances must urgently investigate for compromise and be prepared to rotate these keys to fully remediate the threat.”
This is particularly dangerous given the access that SharePoint servers have to other Microsoft tools, such as OneDrive and Teams. Bugcrowd CISO Trey Ford said that “attackers with this level of access will be set up to achieve persistence through backdoors. Hunt teams will need time and support for vigilance after mitigations have been put in place.”
“Microsoft products are highly integrated. A broader scope of hunting and post-incident remediation may be necessary.”
Another Blow to Microsoft’s Reputation
All of this comes after Microsoft’s push over the past couple of years to improve its security capabilities and reputation after a couple of high-profile attacks by Chinese- and Russian-linked threat groups in 2023 and 2024. The company-wide Secure Future Initiative (SFI) was launched in November 2023, with CEO Satya Nadella telling employees in May 2024 that security had become Microsoft’s top priority.
Microsoft has been widely criticized by government officials and politicians for such security breaches. Senator Ron Wyden (D-OR) told The Register that “government agencies have become dependent on a company that not only doesn’t care about security, but is making billions of dollars selling premium cybersecurity services to address the flaws in its products. Each hack caused by Microsoft’s negligence results in increased government spending on Microsoft cybersecurity services.”
Security vendors were less critical, with Bugcrowd’s Ford saying that “this is a game of cat-and-mouse, code is always evolving, and the boundless ingenuity of the research community, both altruist and malicious, is highly varied and diverse. Patches are rarely fully comprehensive, and the codebases are both complex and implementations are highly varied. This is why those test harnesses and regression testing processes are so complicated.”
He added that “in a perfect world, everyone would be running the latest version of code, fully patched. Obviously this isn’t possible, so feature development must be tested across an exponentially more complicated surface area.”
