Critical Microsoft SharePoint Vulnerability Actively Exploited

Microsoft has issued an emergency patch for a critical zero-day vulnerability in SharePoint Server that has already been weaponised in live attacks.

The flaw, tracked as CVE-2025-53770 and carrying a CVSS score of 9.8, enables unauthenticated attackers to remotely execute code on vulnerable, on-premise SharePoint servers.

Dubbed ToolShell, the exploit chain allows attackers to gain full control of a SharePoint Server instance without any user interaction or credentials. The attack abuses the way SharePoint handles deserialization of untrusted data. A related path traversal flaw (CVE-2025-53771) also forms part of the attack chain. Microsoft 365-hosted SharePoint Online is not affected, but organisations using on-prem deployments of SharePoint Subscription Edition, SharePoint 2019, or SharePoint 2016 are urged to act quickly.

Exploitation Already Underway

Reports suggest that this zero-day vulnerability has already been exploited to target US federal agencies, universities, energy companies, and telecommunications providers. Attackers have been observed deploying malicious web shells that enable remote command execution via HTTP, allowing them to maintain persistent access and control.

The attack path appears to have originated from a proof-of-concept shared on social media that combined known SharePoint vulnerabilities into a new unauthenticated exploit. Security teams observed widespread exploitation as early as 18 July, with dozens of SharePoint systems found compromised globally.

Urgent Action Required

Microsoft has now released security patches for all affected versions:

1. SharePoint Subscription Edition

2. SharePoint Server 2019

3. SharePoint Server 2016

Organisations should apply updates immediately. Microsoft also recommends:

1. Rotating ASP.NET machine keys both before and after patching

2. Enabling Microsoft Defender Antivirus and AMSI on all SharePoint servers

3. Using Defender for Endpoint or similar tooling to detect suspicious activity

4. Monitoring for known indicators of compromise, such as unusual POST requests to /layouts/15/ToolPane.aspx or web shells like spinstall0.aspx

5. Restart IIS using iisreset.exe across all SharePoint servers
   

Threat Attribution and PoC Risk

Since the vulnerability was disclosed, Microsoft has attributed the attacks to multiple Chinese-linked threat actors, including Linen Typhoon, Violet Typhoon, and Storm-2603. These groups have been observed exploiting the vulnerability to deploy web shells and maintain long-term access to compromised systems.

To make matters worse, a public proof-of-concept (PoC) exploit for CVE-2025-53770 has now been released on GitHub, increasing the likelihood of widespread exploitation by additional threat actors. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalogue and mandated immediate patching across federal systems.

Final Reminder

Given SharePoint’s critical role in collaboration and internal data storage, this vulnerability presents a serious and immediate risk. Now that a patch is available for all versions and exploitation is active, organisations must act without delay to reduce the risk of compromise.

Update: Storm-2603 Deploys Ransomware in Active SharePoint Exploits

Published: 25 July 2025 | Update to original article

Since our initial coverage of the ToolShell exploit chain affecting SharePoint Server, the situation has escalated significantly.

Threat actor Storm‑2603, believed to be linked to China, has been observed deploying Warlock ransomware as part of a coordinated campaign targeting organisations using on-premises versions of SharePoint. The attacker is exploiting a combination of vulnerabilities, including CVE‑2025‑53770, CVE‑2025‑53771, CVE‑2025‑49706 (spoofing), and CVE‑2025‑49704 (remote code execution).

Storm‑2603 is known to operate alongside other state-affiliated groups such as Linen Typhoon and Violet Typhoon, who have also shown interest in exploiting these flaws, though their campaigns appear to focus more on espionage and data theft. Storm‑2603, however, is now using the vulnerabilities to launch full-scale ransomware attacks.

How the Attack Works

After gaining access via vulnerable SharePoint instances, Storm‑2603 has been seen using the following techniques:

1. Privilege discovery and user enumeration
2. Scheduled task creation and manipulation of IIS components for persistence
3. Credential theft using tools like Mimikatz
4. Lateral movement across networks
5. Modifying Group Policy Objects (GPOs) to push Warlock ransomware across environments

The group has also attempted to steal ASP.NET machine keys, which are critical to SharePoint authentication processes, potentially enabling wider access and deeper compromise.

Why This Matters

The shift from proof-of-concept exploitation to real-world ransomware deployment is a significant development, especially as exploitation is now widespread and more threat actors are likely to follow Storm‑2603’s lead.

If your organisation uses on-prem SharePoint, now is the time to act. Patch, investigate, and prepare a response plan. Applying updates immediately is critical to reducing the risk of compromise.

Please contact us here if you need support.