SharePoint hacking campaign affects hundreds of systems worldwide

The global hacking campaign linked to the ToolShell vulnerability in Microsoft SharePoint has compromised hundreds of systems across the globe, according to security researchers. 

The Shadowserver Foundation said it has confirmed more than 300 victims, citing data compiled with Eye Security and NIVD.

More than 10,700 SharePoint instances remain exposed, according to Shadowserver. 

U.S. officials are continuing to assess the impact of the exploitation, which Microsoft has linked in part to China-backed hackers.

“CISA continues to work in lockstep with Microsoft, as well as federal and other partners, to address and mitigate the active exploitation of multiple vulnerabilities impacting Microsoft on-site SharePoint servers,” said Chris Butera, acting executive assistant director for cybersecurity at CISA. “Publicly reported as ‘ToolShell,’ the exploitation provides unauthorized access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.”

CISA has added the two critical vulnerabilities that led to the development of ToolShell, tracked as CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities catalog.

The agency is still in the early stages of incident response and is assessing the full scope and impact of the attacks. Federal officials confirmed that CISA is aware of federal agencies and state and local governments that may have been breached and is working with them to assess the scope and mitigate the potential impact. 

Hackers penetrated the National Nuclear Security Administration through the SharePoint vulnerabilities, according to Bloomberg, although there is no evidence that they accessed sensitive or classified information. The agency is responsible for managing the nation’s nuclear-weapons stockpile. The hackers also breached other parts of the U.S. Department of Energy, which houses the National Nuclear Security Administration.

“On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy, including the NNSA,” a spokesperson told Cybersecurity Dive via email. “The Department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. All impacted systems are being restored.” 

Microsoft on Tuesday identified the two state-linked hackers behind many early SharePoint attacks as Linen Typhoon and Violet Typhoon. The company also said that a third threat actor, which it tracks as Storm-2603, has engaged in attacks, although its motivation remains unclear.

(Updates with comment from Department of Energy)