A critical zero-day vulnerability in Microsoft SharePoint servers, dubbed 'ToolShell', has exposed over 17,000 servers to internet-based attacks. At least 840 servers are vulnerable to CVE-2025-53770, with 20 confirmed to have active webshells. Attributed to Chinese threat actors, the attacks have compromised over 400 organizations, including government agencies, healthcare, finance, and education sectors. The breach allows unauthenticated attackers to execute arbitrary code remotely, with Storm-2603 deploying Warlock ransomware on compromised systems. The attack's stealthy nature suggests a higher actual number of victims.
Source: https://cybersecuritynews.com/sharepoint-servers-exposed-to-internet/
TPRM report: https://www.rankiteo.com/company/microsoft
"id": "mic625073125",
"linkid": "microsoft",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Government',
'location': 'United States',
'name': "Department of Energy's National Nuclear "
'Security Administration',
'type': 'Government Agency'},
{'industry': 'Government',
'location': 'United States',
'name': 'Department of Homeland Security',
'type': 'Government Agency'},
{'industry': 'Government',
'location': 'United States',
'name': 'Department of Health and Human Services',
'type': 'Government Agency'},
{'industry': 'Government',
'location': 'United States',
'name': 'Department of Education',
'type': 'Government Agency'},
{'industry': 'Government',
'location': 'United States',
'name': 'State and local government agencies',
'type': 'Government Agency'},
{'industry': ['Government',
'Healthcare',
'Finance',
'Education'],
'location': 'Multiple',
'name': 'Various organizations across sectors',
'type': 'Private and Public Sector'}],
'attack_vector': 'Remote Code Execution',
'data_breach': {'type_of_data_compromised': 'Machine keys, Credentials'},
'date_detected': '2025-07-07',
'date_publicly_disclosed': '2025-07-18',
'description': 'A critical zero-day vulnerability (CVE-2025-53770) in '
'Microsoft SharePoint servers has been exploited, affecting '
'over 17,000 servers, with 840 specifically vulnerable. The '
"vulnerability, dubbed 'ToolShell,' allows unauthenticated "
'attackers to execute arbitrary code remotely. At least 20 '
'servers have active webshells, indicating successful '
'compromises. The attacks are attributed to Chinese threat '
'actors Linen Typhoon (APT27), Violet Typhoon (APT31), and '
'Storm-2603. Over 400 victim organizations across multiple '
'sectors, including government, healthcare, finance, and '
'education, have been confirmed.',
'impact': {'data_compromised': 'Machine keys, Credentials',
'operational_impact': 'Ransomware Deployment',
'systems_affected': 'SharePoint Servers'},
'initial_access_broker': {'backdoors_established': 'webshells',
'entry_point': 'ToolPane endpoint'},
'motivation': 'Data Theft, Operational Disruption',
'post_incident_analysis': {'corrective_actions': 'Patching, rotating machine '
'keys, enabling AMSI, '
'thorough security '
'assessments',
'root_causes': 'CVE-2025-53770 vulnerability'},
'ransomware': {'ransomware_strain': 'Warlock'},
'recommendations': 'Patch all supported SharePoint versions, rotate machine '
'keys, enable AMSI, conduct thorough security assessments',
'references': [{'date_accessed': '2025-07-31',
'source': 'Shadowserver Foundation',
'url': 'https://twitter.com/Shadowserver'},
{'date_accessed': '2025-07-18', 'source': 'Eye Security'}],
'regulatory_compliance': {'regulatory_notifications': 'CISA added '
'CVE-2025-53770 to its '
'Known Exploited '
'Vulnerabilities '
'catalog'},
'response': {'remediation_measures': 'Emergency patches, rotate machine keys, '
'enable AMSI, conduct thorough security '
'assessments'},
'threat_actor': ['Linen Typhoon (APT27)',
'Violet Typhoon (APT31)',
'Storm-2603'],
'title': 'Massive Exposure of Microsoft SharePoint Servers to Internet-Based '
'Attacks',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2025-53770'}