Article illustration 1

A sophisticated campaign exploiting previously unknown Microsoft SharePoint vulnerabilities has been linked to Chinese state-sponsored hackers, compromising at least 54 organizations worldwide. Dubbed "ToolShell" by researchers, this exploit chain combines two critical flaws (CVE-2025-49706 and CVE-2025-49704) to achieve unauthenticated remote code execution on vulnerable SharePoint servers.

Anatomy of an Escalating Threat

The attacks began shortly after Viettel Cyber Security demonstrated the vulnerabilities during Berlin's Pwn2Own contest. Dutch firm Eye Security first observed active exploitation, noting victims included:
- Multinational corporations
- National government agencies
- Critical infrastructure entities

Charles Carmakal, CTO of Google Cloud's Mandiant Consulting, confirmed the attribution:

"We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor. It's critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue."

Microsoft issued emergency patches over the weekend, reassigning the flaws as CVE-2025-53770 and CVE-2025-53771 after confirming attacks against fully patched systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) swiftly added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch within 24 hours.

The Expanding Attack Surface

CISA's advisory warns that ToolShell grants attackers:
- Full access to SharePoint file systems
- Internal configuration data
- Network-level code execution capabilities

Compounding the crisis, a proof-of-concept exploit for CVE-2025-53770 appeared on GitHub within 24 hours of Microsoft's patch release. This lowers the barrier for additional threat actors—from ransomware groups to cybercriminals—to weaponize the vulnerability.

The Patch Imperative

Microsoft has released updates for:
- SharePoint Subscription Edition
- SharePoint 2019
- SharePoint 2016

Organizations running on-premises SharePoint instances should treat patching as a critical emergency action. The convergence of state-sponsored exploitation, vulnerable internet-facing systems, and publicly available exploit code creates a perfect storm for widespread compromise. As threat landscapes evolve, this incident underscores the non-negotiable mandate for rapid vulnerability response in enterprise infrastructure.

Source: BleepingComputer reporting on Eye Security and Mandiant findings