Several hacking groups with ties to the Chinese government have been linked to a recent wave of widespread attacks targeting a Microsoft SharePoint zero-day vulnerability chain.
They used this exploit chain (dubbed “ToolShell”) to breach dozens of organizations worldwide after hacking into their on-premise SharePoint servers.
“Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers,” Microsoft said in a Tuesday report. “In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing.”
“We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor. It’s critical to understand that multiple actors are now actively exploiting this vulnerability,” Charles Carmakal, CTO of Google Cloud’s Mandiant Consulting, told BleepingComputer yesterday.
On Friday, Dutch cybersecurity firm Eye Security first spotted zero-day attacks exploiting the CVE-2025-49706 and CVE-2025-49704 vulnerabilities (first demoed during the Berlin Pwn2Own hacking contest by Viettel Cyber Security researchers).
The company told BleepingComputer that at least 54 organizations had already been compromised, including several multinational companies and national government entities.
Cybersecurity firm Check Point also revealed on Monday that it discovered the first signs of exploitation on July 7th, adding that the attackers targeted dozens of entities across the government, telecommunications, and software sectors in North America and Western Europe.
Microsoft patched the two flaws as part of the July Patch Tuesday updates and assigned two new CVE IDs (CVE-2025-53770 and CVE-2025-53771) over the weekend for zero-days used by threat actors to compromise fully patched SharePoint servers. Since then, it released emergency patches for SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016 to address both RCE flaws.
PoC exploit now available
This week, after Microsoft released security patches for all impacted SharePoint versions, a CVE-2025-53770 proof-of-concept exploit was also released on GitHub, making it easier for more threat actors and hacking groups to join ongoing attacks.
CISA has also added the CVE-2025-53770 remote code execution vulnerability to its Known Exploited Vulnerability catalog, ordering federal agencies to apply patches one day after they were released.
“This exploitation activity, publicly reported as ‘ToolShell,’ provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network,” the cybersecurity agency said.
“Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations. CISA encourages all organizations with on-premise Microsoft SharePoint servers to take immediate recommended action.”
Update July 22, 09:11 EDT: Added Microsoft attribution.
CISOs know that getting board buy-in starts with a clear, strategic view of how cloud security drives business value.
This free, editable board report deck helps security leaders present risk, impact, and priorities in clear business terms. Turn security updates into meaningful conversations and faster decision-making in the boardroom.