SharePoint 0-day Vulnerability Exploited in Wild by All Sorts of Hacker Groups

A critical zero-day vulnerability in Microsoft SharePoint servers has become a playground for threat actors across the cybercriminal spectrum, with attacks ranging from opportunistic hackers to sophisticated nation-state groups since mid-July 2025.

On July 19, 2025, Microsoft confirmed that vulnerabilities collectively known as “ToolShell” were being actively exploited in the wild. The exploit chain comprises CVE-2025-53770, a remote code execution vulnerability with a CVSS score of 9.8, and CVE-2025-53771, a server spoofing vulnerability.

These attacks specifically target on-premises Microsoft SharePoint servers running SharePoint Subscription Edition, SharePoint 2019, or SharePoint 2016, while SharePoint Online in Microsoft 365 remains unaffected.

The vulnerability allows attackers to bypass multi-factor authentication and single sign-on protections, providing unauthorized access to SharePoint systems and enabling arbitrary code execution over the network.

What makes this particularly dangerous is SharePoint’s integration with other Microsoft services, including Office, Teams, OneDrive, and Outlook, potentially granting attackers extensive access across compromised networks.

SharePoint 0-day Vulnerability Exploited

Since exploitation began on July 17, 2025, security researchers have observed a striking diversity of attackers leveraging these vulnerabilities.

The threat landscape includes both financially motivated cybercriminals and state-sponsored espionage groups, creating an unprecedented “all-you-can-eat buffet” for malicious actors.

Microsoft has specifically identified three China-aligned threat groups exploiting the vulnerabilities: Linen Typhoon, Violet Typhoon, and Storm-2603. Charles Carmakal of Google Cloud’s Mandiant unit confirmed that “at least one of the actors responsible for this early exploitation is a China-nexus threat actor”.

Most concerning is the involvement of LuckyMouse (APT27), a sophisticated Chinese cyberespionage group that primarily targets governments, telecommunications companies, and international organizations.

ESET researchers detected a LuckyMouse-associated backdoor on a Vietnamese machine compromised via ToolShell, though it remains unclear whether this represents a new infection or pre-existing compromise.

Adding to the threat complexity, Microsoft reported that Storm-2603 has begun deploying Warlock ransomware using these vulnerabilities, marking an evolution from pure espionage to ransomware operations.

The attacks have demonstrated significant geographic reach, with the United States accounting for 13.3% of attacks according to ESET telemetry data.

Security firm Eye Security has identified over 400 compromised SharePoint systems across multiple attack waves, with victims including U.S. federal agencies, universities, and energy companies.

The exploitation technique involves deploying malicious webshells, particularly “spinstall0.aspx,” to extract cryptographic secrets from SharePoint servers.

Attackers then use these stolen validation and decryption keys to generate valid authentication tokens, enabling persistent access even after initial vulnerabilities are patched.

Microsoft has released emergency security updates for all affected SharePoint versions as of July 22, 2025. However, experts warn that patching alone is insufficient – organizations must also rotate ASP.NET machine keys and restart IIS services to fully evict attackers.

The U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply patches immediately.

Given the vulnerability’s appeal to diverse threat actors, security experts predict continued exploitation attempts against unpatched systems for months to come.

Organizations running on-premises SharePoint servers are strongly advised to assume compromise and implement comprehensive incident response procedures beyond simple patching.

File Indicators of Compromise (IoCs)

Network Indicators of Compromise (IoCs)

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now