Ethical Hacking News
Microsoft has linked a recent wave of widespread SharePoint zero-day attacks to Chinese hackers. The attackers used an exploit chain dubbed "ToolShell" to breach organizations' systems, compromising internal configurations and file systems. Microsoft has shared indicators of compromise (IOCs) to help defenders identify compromised servers.
Microsoft has linked recent SharePoint zero-day attacks to Chinese hackers. The attackers used an exploit chain dubbed "ToolShell" to breach SharePoint servers, gaining unauthenticated access and compromising internal configurations. Two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, have been identified as involved in the attacks. At least 54 organizations, including multinational companies and national government entities, have already been compromised. Microsoft patched the vulnerabilities as part of July's Patch Tuesday updates and released emergency patches for affected SharePoint versions.
In a recent development that has left cybersecurity experts and organizations on high alert, Microsoft has officially linked the recent wave of widespread attacks targeting its SharePoint zero-day vulnerability chain to Chinese hackers. The attacks, which have compromised dozens of organizations worldwide, are believed to be the work of multiple groups with ties to the Chinese government.
According to sources within Microsoft, the attackers used an exploit chain dubbed "ToolShell" to breach their on-premise SharePoint servers. This attack vector allowed them to gain unauthenticated access to systems and execute code over the network, compromising internal configurations and file systems. The attacks are considered a significant threat to organizations that rely heavily on SharePoint for their operations.
Microsoft has identified two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, as well as another China-based threat actor tracked as Storm-2603, who have been involved in exploiting the CVE-2025-49706 and CVE-2025-49704 vulnerabilities. The attackers have also used a proof-of-concept (PoC) exploit for the CVE-2025-53770 vulnerability to gain access to systems.
Cybersecurity firm Eye Security was the first to spot zero-day attacks exploiting these vulnerabilities, with at least 54 organizations having already been compromised, including several multinational companies and national government entities. Dutch cybersecurity firm Check Point also reported that they had discovered the first signs of exploitation on July 7th, targeting dozens of entities across the government, telecommunications, and software sectors in North America and Western Europe.
Microsoft patched the two flaws as part of the July Patch Tuesday updates and assigned two new CVE IDs (CVE-2025-53770 and CVE-2025-53771) for zero-days used by threat actors to compromise fully patched SharePoint servers. The company also released emergency patches for SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016 to address both Remote Code Execution (RCE) flaws.
The attacks have sparked concerns about the vulnerability of organizations' systems to state-sponsored cyber threats. Charles Carmakal, CTO of Google Cloud's Mandiant Consulting, told BleepingComputer that "at least one of the actors responsible for this early exploitation is a China-nexus threat actor." He emphasized the importance of understanding the threat landscape and recognizing the signs of state-sponsored attacks.
To help defenders identify compromised SharePoint servers on their network, Microsoft has shared indicators of compromise (IOCs), including IP addresses, web shells, and post-exploitation C2. The cybersecurity agency CISA has also added the CVE-2025-53770 remote code execution vulnerability to its Known Exploited Vulnerability catalog, ordering federal agencies to apply patches one day after they were released.
The ToolShell attacks have significant implications for organizations that rely on SharePoint for their operations. It highlights the importance of staying up-to-date with security patches and taking proactive measures to protect against state-sponsored threats. As cybersecurity experts continue to investigate these attacks, it is essential to remain vigilant and take immediate action to prevent further compromise.
In recent months, there have been numerous reports of Chinese hackers targeting organizations worldwide, including in North America and Western Europe. The ToolShell attacks demonstrate the sophistication and scale of these operations, which can have devastating consequences for organizations' reputation and operational continuity.
To stay informed about the latest cybersecurity threats and trends, follow our website and social media channels, where we will continue to provide updates on this developing story.
Related Information:
https://www.ethicalhackingnews.com/articles/MICROSOFT-EXPOSES-TOOLSHELL-ATTACKS-CHINESE-HACKERS-BEHIND-RECENT-SHAREPOINT-ZERO-DAY-EXPLOITS-ehn.shtml
https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-toolshell-attacks-linked-to-chinese-hackers/
https://nvd.nist.gov/vuln/detail/CVE-2025-49704
https://www.cvedetails.com/cve/CVE-2025-49704/
https://nvd.nist.gov/vuln/detail/CVE-2025-53770
https://www.cvedetails.com/cve/CVE-2025-53770/
https://nvd.nist.gov/vuln/detail/CVE-2025-53771
https://www.cvedetails.com/cve/CVE-2025-53771/
Published: Tue Jul 22 22:18:05 2025 by llama3.2 3B Q4_K_M
