Between July 7 and July 18, 2025, massive attacks were identified targeting on-premises Microsoft SharePoint servers, exploiting a chain of zero-day vulnerabilities, including CVE-2025-49706 (spoofing/deserialization) and CVE-2025-49704, and subsequently new variants identified as CVE-2025-53770 and CVE-2025-53771. The vector, internally named “ToolShell,” allows remote code execution (RCE), extraction of cryptographic keys, and complete compromise of the SharePoint server.
Attack technique
The attack is based on a chain of sophisticated exploits that take advantage of zero-day vulnerabilities in SharePoint to gain remote code execution, bypass authentication mechanisms, and compromise the entire application infrastructure:
- Uncontrolled deserialization: the attacker sends malicious serialized payloads signed with ValidationKey, injected into the ASP.NET ViewState process, leading to the execution of arbitrary commands without authentication
- Path traversal + spoofing: a combination of vulnerabilities that allows MFA/SSO bypass, privilege escalation, and the formation of persistent backdoors
- Key exfiltration: sophisticated techniques target the uncontrolled release of private keys, critical for signature generation and ViewState management, allowing persistent post-compromise access.
Attributed threat actors
Microsoft attributed the exploits to three groups with ties to the Chinese state:
| Group | Alias | Known motivations |
|---|---|---|
| Linen Typhoon | APT27 | Industrial espionage and IP theft |
| Violet Typhoon | APT31 | Military intelligence and governments |
| Storm‑2603 | — | Previous connections to ransomware |
Google/Mandiant confirmed the correlation with at least one “China-nexus threat actor.” Eye Security and Shadowserver estimated approximately 75–100 compromised entities, including US federal agencies, universities, companies, and international government institutions.
Risks for companies
The vulnerabilities exploited in the ToolShell campaign expose organizations to serious operational risks, with direct impacts on the confidentiality, integrity, and availability of critical data, including:
- High risk of lateral movement due to SharePoint–Office/Teams/OneDrive integration
- Exfiltration of confidential data, sensitive documents, and access to critical infrastructure
- Potential post-compromise ransomware (e.g., LockBit) due to persistent backdoors.
Countermeasures and mitigations
Microsoft has released emergency updates (Patch Tuesday + hotfix) for SharePoint Subscription Edition, 2019, and 2016. CISA has included CVE-2025-53770 in its catalog of Known Exploited Vulnerabilities, urging immediate patching.
Operational guidelines:
- Apply full patches, isolate exposed servers during the upgrade.
- Rotate all cryptographic keys and ValidationKeys.
- Temporarily disconnect unpatched servers from the Internet.
- Perform threat hunting for known IOCs: Spinstall0.aspx, malicious IP addresses, PowerShell
- Conduct thorough audits to check for web shells and residual payloads.
Final thoughts
The “ToolShell” campaign is part of a well-established trend of cyber espionage attacks by Chinese groups. The speed with which zero-days are weaponized – “hours to days” – highlights a sophisticated and widespread offensive capability.
For companies, proactive patch management, the adoption of 24/7 active monitoring and response systems, multi-layered defense architectures, and operational recovery capabilities remain crucial. The geopolitical aspect, with obvious international ramifications, requires a coordinated response between companies, governments, and the global security community.
