17K+ SharePoint Servers Exposed to Internet

A massive exposure of Microsoft SharePoint servers to internet-based attacks has been identified, with over 17,000 servers exposed and 840 specifically vulnerable to the critical zero-day vulnerability CVE-2025-53770, according to new findings from Shadowserver Foundation.

The vulnerability, dubbed “ToolShell” by researchers, carries a critical CVSS score of 9.8 and allows unauthenticated attackers to execute arbitrary code remotely on on-premises SharePoint servers. Most alarmingly, investigators have already identified at least 20 servers with active webshells, indicating successful compromises.

Microsoft has attributed the attacks to three Chinese threat actors: Linen Typhoon (APT27), Violet Typhoon (APT31), and Storm-2603. The exploitation campaign has been active since July 7, 2025, with researchers observing a rapid escalation following the initial discovery.

Eye Security, which first reported the attacks on July 18, has confirmed over 400 victim organizations across multiple sectors, including government, healthcare, finance, and education.

The scope appears much larger, with experts warning that “the actual number is almost certainly higher” due to the stealthy nature of the attacks.

Government Agencies Among Victims

Several U.S. federal agencies have been confirmed as victims, including the Department of Energy’s National Nuclear Security Administration, the Department of Homeland Security, the Department of Health and Human Services, and the Department of Education. State and local government agencies have also been impacted across the country.

The attacks exploit a chained vulnerability sequence that bypasses authentication entirely. Attackers send crafted POST requests to SharePoint’s ToolPane endpoint, deploying malicious webshells typically named “spinstall0.aspx” and variants.

These shells enable attackers to steal ASP.NET machine keys, providing persistent access even after patching.

Storm-2603, one of the Chinese groups involved, has been observed deploying Warlock ransomware on compromised systems, escalating the threat beyond data theft to operational disruption.

The group uses sophisticated techniques, including Mimikatz for credential harvesting and lateral movement tools like PsExec.

Microsoft has released emergency patches for all supported SharePoint versions, but experts emphasize that patching alone is insufficient. Organizations must rotate machine keys, enable Anti-Malware Scan Interface (AMSI), and conduct thorough security assessments.

CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog with an emergency remediation deadline, underscoring the severity of the threat to critical infrastructure.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches