A critical set of zero-day vulnerabilities in Microsoft SharePoint Server has been actively exploited by nation-state threat actors, compromising government agencies, universities, and critical infrastructure across the globe. The campaign, now known as "ToolShell," exploits a chain of vulnerabilities that enable attackers to gain remote access to vulnerable SharePoint servers, maintain persistence, and steal sensitive information.
Microsoft confirmed the vulnerabilities in a follow-up report published July 22nd, and released emergency patches covering the flaws across SharePoint Server Subscription Edition 2019 and 2016. But by then, the damage was well underway.
Explaining the vulnerabilities
The two main flaws at the center of this exploitation campaign are CVE-2025-53770 and CVE-2025-53771. The first is a remote code execution (RCE) vulnerability that allows attackers to run arbitrary code on a SharePoint server without authentication. The second is a spoofing vulnerability that enables attackers to impersonate a legitimate SharePoint server, bypassing access controls and restrictions.
"CVE-2025-53770 gives a threat actor the ability to remotely execute code, bypassing identity protections like SSO and MFA, giving access to content on the SharePoint server including configurations and system files," said Trey Ford, CISO at Bugcrowd. "This level of access sets up attackers to achieve persistence through backdoors and pivot into other parts of the environment."
Thomas Richards, Infrastructure Security Practice Director at Black Duck, explained the implications in similarly clear terms, saying: "This would allow the attacker to completely compromise the server, steal secrets, or use it to perform additional attacks on the network. CVE-2025-53771 allows the attacker to impersonate a SharePoint server."
These bugs are particularly dangerous when chained together. Attackers use a spoofed Referer header to bypass authentication via CVE-53771, then upload a malicious web shell—commonly named spinstall0.aspx—to steal cryptographic keys from the server. These keys allow the threat actor to forge ViewState tokens and continuously execute commands on the server, even after the initial access vector is closed.
A global campaign with major impact
The scale of the exploitation has been significant. According to research from Qualys, the campaign dates back to at least July 7th and escalated sharply around July 19th. Attackers are believed to be part of Chinese state-sponsored groups identified as Linen Typhoon, Violet Typhoon, and Storm-2603.
More than 100 organizations across North America, Western Europe, and Asia have been compromised. Victims include federal and state government agencies, major universities, energy companies, and other organizations that rely on on-premises SharePoint for collaboration and document storage.
"This is actively being exploited; threat hunters and intel teams are actively exploring scope," Ford said. "This is a high-priority vulnerability requiring active involvement from leadership supporting simultaneous mitigation and threat hunting efforts."
The Washington Post and Reuters have both reported on the breadth of the campaign, citing unnamed government officials who expressed concern about the potential for long-term access to critical networks, especially those containing sensitive public infrastructure data.
Why does this keep happening?
One of the more challenging questions in the aftermath of a major exploit campaign, such as ToolShell, is how vulnerabilities of this magnitude continue to arise—and often go undetected.
"Software security is a very difficult problem for organizations to solve," said Richards. "Large codebases which consist of legacy code increase that challenge as the original software wasn't written with modern secure code guidance. Introducing a fix can sometimes have other implications if the original vulnerability isn't fully resolved."
Ford echoed that sentiment, calling it a "game of cat-and-mouse," where even newly issued patches can be bypassed if threat actors are fast and resourceful enough. "Code is always evolving," he said. "Patches are rarely fully comprehensive, and the codebases are both complex and implementations are highly varied."
Jason Soroko, Senior Fellow at Sectigo, emphasized the need for secure development practices, saying, "The best defense is a secure-by-design culture that shortens code paths, adds continuous fuzz testing, and applies defense in depth so that one deserialization slip cannot hand over the keys."
Response and mitigation
In response to the active exploitation, Microsoft issued an emergency patch rollout for all supported on-prem versions of SharePoint Server. The company, along with U.S. CISA, urged organizations to apply the patches immediately, rotate their ASP.NET MachineKeys, and restart the IIS web server service.
But patching alone is not enough. Security leaders are encouraging organizations to reevaluate the security of all internet-facing services, especially those hosted on-prem.
"If possible, organizations should restrict access to any externally available vulnerable SharePoint server," Richards advised. "Security teams should also add endpoint protection software to their SharePoint servers and review system logs for evidence of a compromise."
Ford also pointed to the importance of reducing the attack surface: "When running your own services on-prem, ask if they truly need to be internet-exposed or accessible to untrusted parties. Lowering your attack surface is always wise."
Microsoft recommends enabling AMSI (Antimalware Scan Interface) in Full Mode and ensuring Defender Antivirus or a comparable endpoint protection tool is running on all SharePoint servers. Organizations using Defender for Endpoint and Microsoft Sentinel have access to detailed hunting queries and Indicators of Compromise (IOCs), including suspicious POST requests to /ToolPane.aspx and the presence of web shells, such as spinstall0.aspx.
Security is a culture, not just a patch
While most headlines focus on the vulnerabilities themselves, some security professionals are calling for a broader reflection on enterprise security culture.
"This incident is a reminder that cybersecurity cannot be reduced to patchwork solutions," said Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer at AvePoint. "Modern software vulnerabilities are an unfortunate reality, but the real issue isn't just that flaws exist—it's how quickly organizations can detect, patch, and recover from them."
Simberkoff argued that organizations need to move away from reactive fire drills and toward proactive security posture management. "We need to implement data minimization strategies, robust lifecycle management, and continuous DSPM to identify and mitigate risks before attackers can exploit them."
She also warned that even organizations that successfully patch these vulnerabilities could remain at risk. "The fact that hackers gained access to cryptographic keys that could allow re-entry even after patching highlights why surface-level fixes aren't sufficient when the underlying security architecture lacks depth."
Key lessons from ToolShell
The ToolShell campaign is one of the most sophisticated and consequential SharePoint attacks in recent memory. It highlights just how vulnerable legacy enterprise software can be when not properly secured and maintained.
Security professionals say the key to defense is a layered approach that combines patch management, endpoint protection, network hardening, and cultural shifts that prioritize resilience over reactivity. In the words of Simberkoff and many others in cybersecurity, "If you don't know what you have, you cannot protect it."
With nation-state actors continuing to target enterprise collaboration tools like SharePoint, the lesson from ToolShell is clear: In today's threat landscape, waiting for the next patch isn't enough. Organizations must build security into the core of their environments—because the next exploit may already be underway.
Follow SecureWorld News for more stories related to cybersecurity.
