Global cyber-attack targeting SharePoint systems impacts hundreds of systems across the globe
The global hacking campaign linked to the ToolShell vulnerability in Microsoft SharePoint remains active, with active exploitation observed since mid-July 2025. The ToolShell vulnerabilities (CVE-2025-53770 and CVE-2025-53771) affect on-premises Microsoft SharePoint Server versions 2016, 2019, and Subscription Edition.
These vulnerabilities have been actively exploited in the wild to bypass authentication, remotely execute code, deploy web shells, steal cryptographic keys, and maintain persistent backdoors. The rapid spread of the exploitation has affected multiple industries, including High Tech, Healthcare, Finance, Education, and others. SentinelOne identified at least three distinct attacker clusters involved in the campaign, each using unique methods.
No specific attributions or names of the involved hacker groups have been confirmed yet. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its Known Exploited Vulnerabilities Catalog on July 20, 2025, indicating this vulnerability poses a significant risk to the federal enterprise. Binding Operational Directive 22-01 requires Federal Civilian Executive Branch agencies to remediate such vulnerabilities promptly.
However, no public disclosures confirm actual successful breaches or data exfiltration specifically in federal or state government systems linked to this vulnerability so far. The Department of Energy was minimally impacted due to its widespread use of the Microsoft M365 cloud and robust cybersecurity systems. The hackers did breach other parts of the U.S. Department of Energy, which houses the National Nuclear Security Administration (NNSA).
The Shadowserver Foundation has confirmed more than 300 victims of the hacking campaign. Microsoft identified Linen Typhoon and Violet Typhoon as the state-linked hackers behind many early SharePoint attacks. CISA continues to work with Microsoft and federal and other partners to address and mitigate the active exploitation of multiple vulnerabilities impacting Microsoft on-site SharePoint servers.
In conclusion, immediate patching and comprehensive mitigation are strongly advised. CISA is still in the early stages of incident response and is assessing the full scope and impact of the attacks. CISA is working with the NNSA to assess the scope and mitigate the potential impact. U.S. officials are continuing to assess the impact of the exploitation, which Microsoft has linked in part to China-backed hackers.
- The global hacking campaign, linked to the ToolShell vulnerability in Microsoft SharePoint, necessitates immediate incident response, as it continues to be actively exploited since mid-July 2025.
- The identified vulnerabilities (CVE-2025-53770 and CVE-2025-53771) pose a significant risk to federal enterprises, as they affect on-premises Microsoft SharePoint Server versions 2016, 2019, and Subscription Edition, and have been used to bypass authentication, execute code, deploy web shells, steal keys, and maintain persistent backdoors.
- In the light of the rapid spread of this exploitation across multiple industries, it is crucial to prioritize cybersecurity measures, especially in areas involving privacy, such as High Tech, Healthcare, Finance, Education, and others.
- As the incident response is still in the early stages, with CISA assessing the full scope and impact of the attacks, it is important for the general public to stay informed about the latest updates in cybersecurity news and politics regarding this ongoing global cybersecurity issue.
