US Tops Hit List as 396 SharePoint Systems Compromised Globally
Summary:
A Microsoft SharePoint zero-day vulnerability exploit chain, dubbed “ToolShell,” is actively being leveraged in attacks in the wild, with 396 compromised systems being identified to date and still counting. The exploit chain consists of two vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which can enable actors to achieve remote code execution on vulnerable SharePoint servers. According to security firm Eye Security, it analyzed 27,000 SharePoint servers between July 18 and 23, confirming the compromise of at least 145 unique organizations across 41 countries. Many of these organizations reside in the US, accounting for 31% of the total affected, followed by Mauritius (8%), Germany (7%) and France (5%).
The government sector seems to be a favorable sector of interest in the latest SharePoint exploitation campaign, accounting for 30% of attacks observed between July 18 and 23. Given that government agencies typically use SharePoint to securely store and manage data, this makes them a prime target of interest for threat actors. Reports have been issued out suggesting that the US Nuclear Weapons Agency, Department of Homeland Security and Department of Health and Human Services have been victims of ToolShell exploitation. While there has been no official confirmation, this highlights the scope or potential for exploitation and its threat to national security if systems are left unpatched.
Security Officer Comments:
Initial ToolShell attacks were attributed by Microsoft to Linen Typhoon, Violet Typhoon and Storm-2603. These groups are known for conducting cyber espionage, with their activities aligning with the interests of the People’s Republic of China. With government agencies using on premises Microsoft SharePoint, it comes as no surprise that China-linked actors are compromising vulnerable instances, which can be further used to engage in intelligence gathering activities.
Although exploitation activity was initially attributed to nation state actors like Linen Typhoon and Violet Typhoon, it is likely that non-state actors have started to take advantage of the ToolShell exploit chain. Given the availability of a public proof-of-concept for ToolShell, its safe to assume that low-skilled adversaries and actors with other motives are also starting to exploit the SharePoint RCE flaws, engaging in extortion based attacks for financial gain.
Suggested Corrections:
Link(s):
https://www.infosecurity-magazine.com/news/396-sharepoint-systems-compromised/
A Microsoft SharePoint zero-day vulnerability exploit chain, dubbed “ToolShell,” is actively being leveraged in attacks in the wild, with 396 compromised systems being identified to date and still counting. The exploit chain consists of two vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which can enable actors to achieve remote code execution on vulnerable SharePoint servers. According to security firm Eye Security, it analyzed 27,000 SharePoint servers between July 18 and 23, confirming the compromise of at least 145 unique organizations across 41 countries. Many of these organizations reside in the US, accounting for 31% of the total affected, followed by Mauritius (8%), Germany (7%) and France (5%).
The government sector seems to be a favorable sector of interest in the latest SharePoint exploitation campaign, accounting for 30% of attacks observed between July 18 and 23. Given that government agencies typically use SharePoint to securely store and manage data, this makes them a prime target of interest for threat actors. Reports have been issued out suggesting that the US Nuclear Weapons Agency, Department of Homeland Security and Department of Health and Human Services have been victims of ToolShell exploitation. While there has been no official confirmation, this highlights the scope or potential for exploitation and its threat to national security if systems are left unpatched.
Security Officer Comments:
Initial ToolShell attacks were attributed by Microsoft to Linen Typhoon, Violet Typhoon and Storm-2603. These groups are known for conducting cyber espionage, with their activities aligning with the interests of the People’s Republic of China. With government agencies using on premises Microsoft SharePoint, it comes as no surprise that China-linked actors are compromising vulnerable instances, which can be further used to engage in intelligence gathering activities.
Although exploitation activity was initially attributed to nation state actors like Linen Typhoon and Violet Typhoon, it is likely that non-state actors have started to take advantage of the ToolShell exploit chain. Given the availability of a public proof-of-concept for ToolShell, its safe to assume that low-skilled adversaries and actors with other motives are also starting to exploit the SharePoint RCE flaws, engaging in extortion based attacks for financial gain.
Suggested Corrections:
- Use or upgrade to supported versions of on-premises Microsoft SharePoint Server.
- Supported versions: SharePoint Server 2016, 2019, and SharePoint Subscription Edition
- Apply the latest security updates.
- Ensure the Antimalware Scan Interface is turned on and configured correctly and deploy Defender Antivirus on all SharePoint servers
- Configure Antimalware Scan Interface (AMSI) integration in SharePoint, enable Full Mode for optimal protection, and deploy Defender Antivirus on all SharePoint servers which will stop unauthenticated attackers from exploiting this vulnerability.
- Note: AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.
- If you cannot enable AMSI, we recommend you consider disconnecting your server from the internet until you have applied the most current security update linked above. If the server cannot be disconnected from the internet, consider using a VPN or proxy requiring authentication or an authentication gateway to limit unauthenticated traffic.
- Deploy Microsoft Defender for Endpoint, or equivalent solutions
- We recommend organizations to deploy Defender for Endpoint to detect and block post-exploit activity.
- Rotate SharePoint Server ASP.NET machine keys
- After applying the latest security updates above or enabling AMSI, it is critical that customers rotate SharePoint server ASP.NET machine keys and restart Internet Information Services (IIS) on all SharePoint servers.
- Manually using PowerShell
- To update the machine keys using PowerShell, use the Set-SPMachineKey cmdlet.
- Manually using Central Admin: Trigger the Machine Key Rotation timer job by performing the following steps:
- Navigate to the Central Administration site.
- Go to Monitoring -> Review job definition.
- Search for Machine Key Rotation Job and select Run Now.
- Manually using PowerShell
- After applying the latest security updates above or enabling AMSI, it is critical that customers rotate SharePoint server ASP.NET machine keys and restart Internet Information Services (IIS) on all SharePoint servers.
- Restart IIS on all SharePoint servers using iisreset.exe. NOTE: If you cannot enable AMSI, you will need to rotate your keys and restart IIS after you install the new security update.
- Implement your incident response plan.
Link(s):
https://www.infosecurity-magazine.com/news/396-sharepoint-systems-compromised/