Hackers exploiting vulnerability in SharePoint: Microsoft confirms ransomware deployment
A critical zero-day vulnerability in Microsoft's SharePoint software, known as CVE-2025-53770 or "ToolShell", has been actively exploited since early July 2025. This vulnerability allows unauthenticated remote code execution (RCE) on on-premises SharePoint servers, giving attackers full access to SharePoint content and configurations.
The Chinese hacking groups known as Storm-2603, Linen Typhoon, and Violet Typhoon have been leveraging this vulnerability to deploy ransomware such as Warlock. More than 4,600 compromise attempts targeting over 300 organizations globally have been documented, with hundreds to thousands of SharePoint servers compromised worldwide, including U.S. government agencies and other critical sectors.
Current Status
The exploitation of this vulnerability continues actively, with experts warning of ongoing risk for unpatched systems. U.S. agencies such as the National Nuclear Security Administration have been impacted, and the National Cyber Security Centre in the UK has seen limited hacks related to the SharePoint flaw.
Patches and Mitigation
Microsoft has released security updates addressing CVE-2025-53770 for the following on-premises SharePoint versions:
- SharePoint 2016
- SharePoint 2019
- SharePoint Server Subscription Edition
These patches are critical and urgent; systems exposed to the internet are highly susceptible to compromise if not patched immediately. Additional related vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53771) related to this campaign have also been patched and should be included in security updates. SharePoint Online (Microsoft 365) is not affected by these vulnerabilities.
Recommendations
Organizations should prioritize applying Microsoft’s released patches immediately. Isolating or removing vulnerable SharePoint servers from the internet if patching cannot be performed rapidly is also recommended. Monitoring for signs of compromise and ransomware deployment linked to these exploits is essential. Following guidance from Microsoft, CISA, and security research groups for ongoing updates and mitigation strategies is crucial.
In summary, the zero-day SharePoint vulnerability exploited by Chinese ransomware groups remains actively exploited, but Microsoft’s patches for all supported on-premises SharePoint versions are now available and must be installed without delay to prevent further attacks.
[1] Microsoft Security Response Centre: https://msrc-blog.microsoft.com/2025/07/13/update-on-sharepoint-zero-day-vulnerability-cve-2025-53770-toolshell/
[2] KrebsOnSecurity: https://krebsonsecurity.com/2025/07/chinese-hackers-exploit-sharepoint-zero-day-to-deploy-ransomware/
[3] ZDNet: https://www.zdnet.com/article/chinese-hackers-exploiting-sharepoint-zero-day-to-deploy-ransomware-warns-microsoft/
[4] CyberScoop: https://www.cyberscoop.com/microsoft-sharepoint-zero-day-vulnerability-ransomware-hackers/
- The ongoing active exploitation of the SharePoint vulnerability, known as CVE-2025-53770, or "ToolShell", has raised significant concerns in the realm of cybersecurity, particularly with the documented attacks by Chinese hacking groups.
- In response to the threat posed by this zero-day vulnerability, Microsoft has released patches for all supported on-premises SharePoint versions, urging organizations to prioritize their installation to avoid further attacks.
