Redazione RHC : 24 July 2025 08:12
According to cybersecurity experts, several Chinese hacker groups are exploiting a series of zero-day vulnerabilities in Microsoft SharePoint in their attacks. In particular, it emerged that attackers also compromised the network of the US National Nuclear Security Administration (NSA), as reported in the previous article.
The zero-day vulnerability chain in SharePoint was named ToolShell and was first demonstrated during the Pwn2Own hacking competition in Berlin in May 2025. On that occasion, specialists from Viettel Cyber Security combined Two flaws (CVE-2025-49706 and CVE-2025-49704) used to perform an RCE attack.
Although Microsoft released patches for both ToolShell vulnerabilities in July 2025, attackers managed to evade the fixes using new exploits. As a result, new vulnerabilities have been identified, CVE-2025-53770 (9.8 points on the CVSS scale; bypasses the patch for CVE-2025-49704) and CVE-2025-53771 (6.3 points on the CVSS scale; bypasses the patch for CVE-2025-49706). Last week, analysts at Eye Security reported that new vulnerabilities have already been exploited to attack on-premises SharePoint servers.
As a result, Microsoft developers have already released emergency patches for both RCE issues, patching the vulnerabilities in SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016:
Additionally, Microsoft strongly recommends administrators rotate keys after installing patches. We also recommend integrating and enabling Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or other similar solutions) for all on-premises SharePoint deployments and configuring AMSI in full mode.
As reported by numerous expert reports, dozens of organizations around the world have already been victims of attacks. For example, reports on the exploitation of these bugs have been published by Cisco Talos , Censys , Check Point , CrowdStrike , Palo Alto Networks , Qualys , SentinelOne , Tenable , Trend Micro and so on.
In turn, the experts Microsoft writes that new vulnerabilities have been exploited by the Chinese APT groups Linen Typhoon (also known as APT27, Bronze Union, Emissary Panda, Iodine, Lucky Mouse, Red Phoenix, and UNC215), Violet Typhoon (also known as APT31, Bronze Vinewood, Judgement Panda, Red Keres, and Zirconium), and a third Chinese hacker group, Storm-2603. Information about Chinese hacker attacks on SharePoint is also confirmed by Google Cloud specialists at Mandiant Consulting.
At the same time, according to Check Point specialists, the first signs of vulnerability exploitation were discovered on July 7, 2025. Attackers have attacked dozens of organizations in the government, telecommunications, and IT sectors in North America and Western Europe. Microsoft has shared the following indicators of compromise (IOCs) to help defenders identify compromised SharePoint servers:
To make matters worse, this week a proof-of-concept exploit for CVE-2025-53770, which security researchers expect will soon lead to other hacker groups joining the ToolShell attack. According to experts at Eye Security, at least 400 servers and 148 organizations worldwide have currently been affected by ToolShell attacks.
It’s also worth noting that today it emerged that the US National Nuclear Security Administration (NNSA) was a victim of the ToolShell attack. This agency, part of the US Department of Energy, is responsible for storing the country’s nuclear weapons stockpile and responding to nuclear and radiological emergencies in the US and abroad.
Redazione