Over 17,000 SharePoint Servers Found Exposed Online — 840 Vulnerable to Active 0-Day Attacks

A significant cybersecurity crisis has emerged with the discovery of over 17,000 Microsoft SharePoint servers exposed to internet-based attacks, including 840 systems vulnerable to a critical zero-day vulnerability that Chinese threat actors are actively exploiting.

The vulnerability, designated CVE-2025-53770 and dubbed “ToolShell” by security researchers, has already compromised hundreds of organizations across government, healthcare, finance, and education sectors.

Critical Infrastructure Under Active Attack

The Shadowserver Foundation’s latest findings reveal the alarming scope of this cybersecurity incident, with researchers identifying at least 20 servers already compromised with active webshells.

The vulnerability carries a critical CVSS score of 9.8, enabling unauthenticated attackers to execute arbitrary code remotely on on-premises SharePoint servers.

Microsoft has attributed these sophisticated attacks to three Chinese threat actors: Linen Typhoon (APT27), Violet Typhoon (APT31), and Storm-2603.

The exploitation campaign began on July 7, 2025, with researchers observing rapid escalation following initial discovery.

Eye Security, which first reported the attacks on July 18, has confirmed over 400 victim organizations, though experts warn the actual number is likely much higher due to the stealthy nature of these intrusions.

Several U.S. federal agencies have fallen victim to these attacks, including the Department of Energy’s National Nuclear Security Administration, the Department of Homeland Security, the Department of Health and Human Services, and the Department of Education.

State and local government agencies nationwide have also been impacted, raising serious concerns about national security implications.

The attacks exploit a sophisticated vulnerability chain that completely bypasses authentication mechanisms.

Attackers send carefully crafted POST requests to SharePoint’s ToolPane endpoint, deploying malicious webshells typically named “spinstall0.aspx” and variants.

These shells enable threat actors to steal ASP.NET machine keys, providing persistent access even after systems are patched.

Storm-2603, one of the involved Chinese groups, has escalated threats beyond data theft by deploying Warlock ransomware on compromised systems.

The group employs sophisticated techniques including Mimikatz for credential harvesting and lateral movement tools like PsExec, demonstrating advanced persistent threat capabilities.

Microsoft has released emergency patches for all supported SharePoint versions, but cybersecurity experts emphasize that patching alone is insufficient.

Organizations must immediately rotate machine keys, enable Anti-Malware Scan Interface (AMSI), and conduct comprehensive security assessments to identify potential compromises.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog with an emergency remediation deadline, underscoring the critical threat to essential infrastructure systems nationwide.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!