A massive breach of Microsoft SharePoint by Chinese threat actors is affecting governments and organizations around the world. The vulnerability allows attackers to bypass authentication, execute code on vulnerable SharePoint servers, and steal cryptographic keys to maintain access even after the vulnerability is patched.
SharePoint is a web application used to manage intranet and shared files for collaboration within organizations. Due to its integration with Microsoft 365 products like Word and Excel, SharePoint is widely used in both government and corporate settings.
Here’s what we know so far about this attack.
Background
On July 18 2025, researchers at Eye Security observed exploitation of SharePoint servers, according to their blog. After investigating, Eye Security discovered that the attackers had utilized an attack called ToolShell. ToolShell is an attack that chains two zero day vulnerabilities: CVE-2025-49706 and CVE-2025-49704, to bypass authentication and execute code on compromised machines. Eye Security scanned public facing SharePoint servers, and found 400 servers that have already been compromised, according to their blog.
Eye Security notified Microsoft, and the next day, Microsoft Security Response Center published a blog post in which they acknowledged the attack and provided more information. They confirmed that this attack did not affect SharePoint Online, only on-premise SharePoint Server 2016, 2019, and Subscription Edition. According to Eye Security, SharePoint Server 2010 and 2013 are also affected, but no longer receive security updates, meaning the only way to secure those servers is to decommission them or upgrade to the latest version of SharePoint.
On July 22nd, Microsoft Threat Intelligence shared more information on their blog, revealing that at least three Chinese threat actors, tracked as Linen Typhoon, Violet Typhoon, and Storm-2603, have been actively exploiting the ToolShell attack chain against vulnerable SharePoint servers. Disturbingly, Microsoft Threat Intelligence reports that threat actors had been trying to exploit these vulnerabilities as early as July 7th.
While these attacks were announced publicly after the July 18th attacks, Check Point confirms that they also detected attempts to exploit these vulnerabilities as early as July 7th.
There was some confusion about which CVE’s were being exploited. Fixes for the original vulnerabilities (CVE-2025-49706 and CVE-2025-49704) were released as part of the July Patch Tuesday update. However, attackers began utilising two new vulnerabilities: CVE-2025-53770 and CVE-2025-53771, which allowed attackers to bypass the fixes for the previous vulnerabilities, as reported by The Hacker News. These new vulnerabilities have also been patched.
CISA has added CVE-2025-49706 and CVE-2025-49704, as well as the newer CVE-2025-53770, to their Known Exploited Vulnerability catalog.
Who is involved?
Microsoft Threat Intel has attributed these attacks to Chinese state sponsored threat actors they track as Linen Typhoon and Violet Typhoon, as well as Storm-2603, which Microsoft believes to be a China based threat actor.
Violet Typhoon, also known as APT31, ZIRCONIUM, or Judgement Panda, is a China based threat actor group believed to operate on behalf of the Chinese government, according to SOCRadar. A 2024 Department of Justice indictment charged members of APT31 with targeting US based companies, as well as politicians and journalists critical of the Chinese Communist Party. The indictment alleges ties between APT31 and the Chinese intelligence agency, the Ministry of State Security.
Linen Typhoon, also known as APT27 or Emissary Panda, is also believed to be a China-based threat actor. Interestingly, this is not the first time this group has targeted SharePoint: Palo Alto’s Unit 42 reported back in 2019 that APT27 had targeted SharePoint servers in the middle east.
Not much information on Storm-2603 is available, except that Microsoft Threat Intelligence reports that they are a China based threat actor that has been seen exploiting the ToolShell attack chain.
While these three groups seem to have been among the first to exploit this vulnerability, we can expect to see more threat actors exploiting this vulnerability.
Impact
These vulnerabilities allow attackers to completely bypass authentication and execute code on victim servers, potentially allowing attackers to exfiltrate sensitive data or deploy malware. Because of SharePoint’s integration with other Microsoft products, there is even more potential for theft of sensitive data, credentials, etc.
Companies and government agencies around the world have been affected.
Multiple US government agencies have been targeted, including the Department of Health and Human Services and the Department of Homeland Security, as reported by CBS News.
Perhaps the most disturbing compromise was at the US National Nuclear Security Administration. Engadget, citing Bloomberg, reports that the government agency responsible for maintaining and even designing nuclear weapons was compromised on July 18th. This was the same day Eye Security observed this attack chain. Attackers also targeted the US Department of Education and Florida’s Department of Revenue, Engadget reports.
The full impact of this attack is still being assessed. More victims are likely to be discovered in the coming days.
Mitigations
The best way to defend against the ToolShell vulnerability is to make sure SharePoint is patched. However, while this protects from being exploited, patching will not remove attacker that have already gained a foothold.
According to Eye Security, attackers have exploited ToolShell to steal cryptographic keys, which can be used to gain access even after the system has been patched. Eye Security recommends that organizations that had vulnerable SharePoint servers should rotate SharePoint’s asp.net machine keys and restart IIS as a precaution, even if they do not believe they were compromised.
It’s worth noting that one mitigation recommended by Microsoft is to enable the Antimalware Scan Interface (AMSI), however, security firm WatchTowr told SecurityWeek that this protection can be bypassed with CVE-2025-53770, and is therefore ineffective.
