Microsoft SharePoint, the popular enterprise collaboration and document management platform, has become one of the main cybersecurity concerns worldwide this summer. Recent large-scale exploitation campaigns targeting critical vulnerabilities have compromised thousands of servers across the globe, including networks of multinational corporations, banks, telecom providers, healthcare institutions, and government agencies.
The situation, considered critical by cybersecurity experts and agencies, has prompted Microsoft to release emergency updates and mitigation measures, though these have not been sufficient to stop the attack from spreading.
A vulnerability revealed and actively exploited
The incident traces back to May 2025, during the ethical hacking event Pwn2Own Berlin, where a chain of critical vulnerabilities in SharePoint, named ‘ToolShell,’ was presented. These flaws, identified as CVE-2025-49704 and CVE-2025-49706, allow remote code execution without authentication. Following responsible disclosure, Microsoft acknowledged these as critical and issued patches in early July.
However, last weekend it was confirmed that these patches were insufficient: multiple active cyberattack campaigns exploited a chain based on ToolShell to bypass defenses and install backdoors like spinstall0.aspx, enabling the theft of cryptographic keys and complete control over affected servers. This exploit chain has been registered as CVE-2025-53770 and CVE-2025-53771, classified as zero-day vulnerabilities.
At least 9,000 potentially vulnerable servers
Data collected by security firm Censys and Eye Security indicates over 9,700 on-premises SharePoint servers are exposed online. So far, at least 400 servers have been confirmed actively compromised across four attack waves between July 17 and 21, according to global telemetry records.
Among the affected organizations is the U.S. National Nuclear Security Administration, responsible for the country’s nuclear arsenal, as reported by Bloomberg, though there is no public evidence of classified information leakage.
Links to groups associated with the Chinese government
Microsoft attributes these vulnerabilities’ exploitation to three cyber espionage groups linked to the Chinese government: Linen Typhoon, Violet Typhoon, and Storm-2603. The latter has reportedly not only stolen credentials and cryptographic keys but also deployed Warlock ransomware, according to Microsoft Threat Intelligence.
The Chinese Embassy in the U.S. has firmly denied these accusations, calling them unfounded and reaffirming its opposition to any form of cybercrime.
Persistence even after patch deployment
A key threat of this campaign is that attackers can maintain persistent access even after patches are applied. This is enabled by the theft of internal keys (Machine Keys), which are used to generate valid tokens in SharePoint and execute remote commands with privileges—a technique documented in previous RCE (remote code execution) campaigns.
Organizations like watchTowr Labs warn that mitigation measures such as enabling AMSI (Antimalware Scan Interface) are not enough, emphasizing the importance of patching, rotating cryptographic keys, and rebooting all affected SharePoint servers.
Urgent recommendations from Microsoft and CISA
Microsoft has issued new security updates for SharePoint Server 2016, 2019, and the Subscription Edition, detailing patches KB5002760, KB5002754, and KB5002768. It also recommends rotating ASP.NET keys on servers and restarting IIS on all systems as additional critical steps.
Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included these vulnerabilities in its catalog of actively exploited threats, requiring federal agencies to apply the fixes by July 23, 2025.
Risks for CISOs: unauthenticated access and lateral movement
Security leaders must understand that this is a chain of exploits allowing attackers to:
- Execute remote code without credentials.
- Impersonate internal users and services.
- Steal keys that enable persistent access after patches.
- Deploy ransomware and move laterally within Windows domains.
Additionally, SharePoint’s routine integration with services like Teams, OneDrive, and Outlook amplifies the impact of such breaches.
What should organizations do now?
According to Eye Security and Microsoft, organizations using on-premises SharePoint should take immediate actions:
- Apply the latest patches released by Microsoft.
- Rotate Machine Keys and restart IIS on all SharePoint servers.
- Search for indicators of compromise, such as files named spinstall0.aspx and connections to domains like update.updatemicfosoft.com.
- Isolate or shut down compromised servers, reset credentials, and consult incident response experts.
Researchers have also shared indicators of compromise (IOCs), including IP addresses, file hashes, and specific log entries in IIS that can help detect malicious activity.
A concerning precedent for corporate environments
This incident ranks among the most severe in recent SharePoint history, highlighting the vulnerability of on-premises systems to sophisticated, rapid attacks. It also raises serious questions about response times and patch effectiveness against critical vulnerabilities in mission-critical environments.
As Eye Security states, “This is not a theoretical risk; it’s an ongoing operational threat. Those who do not act now may be compromised without even knowing it.”
More information and updates:
This article has been prepared with verified technical information and official sources such as Eye Security, Microsoft Threat Intelligence, CISA, and specialized media.