A recent wave of zero-day attacks dubbed ToolShell has exposed critical vulnerabilities in Microsoft SharePoint Server, affecting hundreds of organizations including U.S. government agencies.
Microsoft and cybersecurity firms first warned of these intrusions over the weekend, but evidence shows that attacks began as early as July 7. Two China-backed groups, Linen Typhoon and Violet Typhoon, are responsible for the initial exploitations. Another group, Storm-2603, suspected to be affiliated with China, deployed ransomware starting July 18.
Eye Security revealed that over 400 of the 23,000 scanned SharePoint servers were compromised during four distinct attack waves between July 17 and July 21. Among the victims were high-profile U.S. agencies like Homeland Security, the Department of Energy, and the NIH. The extent of sensitive data exposure is still under investigation.
The attacks leveraged flaws tracked as CVE-2025-53770 and CVE-2025-53771, which bypassed previous patches for vulnerabilities disclosed at the May Pwn2Own competition. While Microsoft confirmed some exploit activity, not all companies agree on the scope, and confusion persists over which bugs were actually used.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
