Microsoft security incident significantly impacts Germany
The global cybersecurity landscape has been shaken by a new campaign targeting the critical SharePoint zero-day Remote Code Execution (RCE) vulnerability, known as CVE-2025-53770 or "ToolShell." This vulnerability has impacted various sectors, including government, telecommunications, software, healthcare, education, and enterprises, in multiple countries, including Germany.
According to reports from ntv.de and dpa, the US has the highest number of confirmed cases at 18%, followed by Germany at 7%. Hundreds of organizations across these sectors in the U.S., Germany, France, and Australia have been affected, demonstrating the rapid and global scale of the attack spree.
The attackers are not targeting randomly but strategically important targets. As described by Lodi Hensen, VP Security Operations at Eye Security, the campaign is not random or opportunistic. The threat actor details remain somewhat generic, with exploitation attempts originating from at least three different IP addresses. One of these IPs was previously linked to weaponizing other vulnerabilities in Ivanti Endpoint Manager Mobile appliances.
The European Small and Medium Enterprises (SME) sector, which often relies on solutions in its own data centers, is increasingly becoming a target. These SMEs often lack continuous security monitoring, making them more susceptible to cyberattacks. Mauritius, an island nation, is also becoming a target of cybercrime.
The attackers encrypt the data of their victims and try to extort ransom in these ransomware attacks. Criminal groups are now also active, using the compromised SharePoint access for potential ransomware attacks. The threat from China, as mentioned in a previous paragraph, is not eliminated. The first attacks on the vulnerability have been attributed to Chinese groups: Linen Typhoon, Violet Typhoon, and Storm-2603.
Microsoft and security agencies like CISA have issued urgent alerts and emergency fixes. However, some versions like SharePoint Server 2016 initially lacked patches, increasing exposure risk. The vulnerability affects 145 organizations, with 42 of these organizations being based in Germany. Ten of these German organizations have their headquarters in the country.
In summary, while exact group names are not publicly disclosed, the attackers are sophisticated, likely state-sponsored or highly organized criminal groups exploiting multiple vectors, actively compromising hundreds of organizations in Germany and worldwide since early July 2025. It is crucial for organizations to stay vigilant and ensure their systems are up-to-date with the latest security patches to mitigate the risk.
- The Commission, recognizing the rising concerns in data-and-cloud-computing due to escalating cybersecurity threats, might consider adopting a proposal for a directive on the protection of workers, including those in small and medium enterprises (SMEs), from the financial risks associated with exposure to cyberattacks, just as it has done with the directive on the protection of workers from the risks related to exposure to ionizing radiation.
- To combat this global cybersecurity threat, businesses could invest in advanced technology solutions to enhance their cybersecurity posture, thereby reducing their vulnerability to targeted attacks like the one exploiting the SharePoint zero-day RCE vulnerability (CVE-2025-53770 or "ToolShell").
- Given the significant impact this campaign has had on organizations globally, it would be prudent for governments to provide resources and support to help businesses in implementing robust cybersecurity measures and ensuring the continuous monitoring of their systems, particularly in sectors highly vulnerable to cyberattacks such as finance, healthcare, education, and small and medium enterprises (SMEs).
