China-Linked Hackers Exploit SharePoint ToolShell Flaws to Breach Governments and Telecoms
Microsoft disclosed multiple on-premises SharePoint Server vulnerabilities, including remote code execution flaws CVE-2025-49701 and CVE-2025-49704 and spoofing flaw CVE-2025-49706, as defenders responded to active exploitation. Microsoft said it was working to disrupt attacks targeting exposed SharePoint environments, while the Canadian Centre for Cyber Security issued threat-detection guidance to help organizations identify compromise tied to the SharePoint vulnerabilities.
Subsequent reporting tied the broader ToolShell exploitation chain, including CVE-2025-53770, to China-linked operators that breached a Middle Eastern telecom provider, government departments in Africa, government agencies in South America, and a U.S. university. Investigators said the intrusions used malware and tooling including Zingdoor, ShadowPad, KrustyLoader, and Sliver, alongside credential-dumping, proxying, DLL sideloading, and persistence techniques, indicating a stealthy espionage-focused campaign that expanded beyond initial public understanding of the SharePoint attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Symantec links ToolShell intrusions to broader China-linked espionage activity
Symantec reported that ToolShell exploitation had compromised a Middle Eastern telecom, two African government departments, two South American government agencies, and a U.S. university, with likely additional victims in Africa, the Middle East, and Europe. The report also described tooling including Zingdoor, ShadowPad, KrustyLoader, Sliver, and credential-dumping utilities, and assessed the operators as China-based actors engaged in likely espionage.
Canadian Centre for Cyber Security issues SharePoint threat detection guidance
The Canadian Centre for Cyber Security published threat detection guidance related to SharePoint vulnerabilities. This reflects official defensive guidance for organizations monitoring for related exploitation activity.
Microsoft details active exploitation of on-premises SharePoint vulnerabilities
Microsoft published a security blog on disrupting active exploitation of on-premises SharePoint vulnerabilities. The post signaled that exploitation was ongoing and outlined Microsoft's response to the campaign.
Mandiant says a China-based threat actor is involved in SharePoint attacks
CRN reported Mandiant's assessment that a China-based threat actor was involved in the Microsoft SharePoint attack activity. This represented an early public attribution update tying the exploitation to China-linked operators.
Attackers begin exploiting ToolShell shortly after July patches
According to later Symantec reporting, China-linked attackers exploited the ToolShell SharePoint vulnerability CVE-2025-53770 soon after Microsoft patched SharePoint in July 2025. Early victims included a telecom company in the Middle East and government entities in Africa, indicating rapid post-patch operational use.
Microsoft publishes SharePoint fixes for CVE-2025-49701, CVE-2025-49704, and CVE-2025-49706
Microsoft released Security Update Guide entries for multiple on-premises SharePoint vulnerabilities, including remote code execution flaws CVE-2025-49701 and CVE-2025-49704 and spoofing flaw CVE-2025-49706. These July 8 advisories mark the initial public patch/disclosure point in the provided references.
Sources
5 references tracked. Mallory keeps watching after this page renders.
ToolShell Used to Compromise Telecoms Company in Middle East | SECURITY.COM
security.com
Open sourceThreat detection for SharePoint vulnerabilities - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceDisrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog
microsoft.com
Open sourceChina-Based Threat Actor Involved In Microsoft SharePoint Attacks: Mandiant CTO
crn.com
Open sourceCVE-2025-49706 - Security Update Guide - Microsoft - Microsoft SharePoint Server Spoofing Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Widespread Exploitation of Microsoft SharePoint ToolShell Vulnerability by Chinese-Linked Threat Actors
Hackers believed to be associated with China have exploited the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint, targeting a broad range of organizations across multiple continents. The vulnerability, which affects on-premise SharePoint servers, was disclosed as an actively exploited zero-day on July 20, 2025, prompting Microsoft to release emergency patches the following day. The flaw is a bypass for previously reported vulnerabilities (CVE-2025-49706 and CVE-2025-49704) and allows remote, unauthenticated attackers to execute code and gain full access to the file system. Multiple Chinese threat groups, including Budworm/Linen Typhoon, Sheathminer/Violet Typhoon, and Storm-2603/Warlock ransomware, have been linked to these attacks. Symantec reported that the ToolShell exploit was used to compromise organizations in the Middle East, South America, the United States, Africa, and Europe, with targets including government agencies, universities, telecommunications providers, and financial institutions. In one case, attackers exploited the vulnerability to plant webshells for persistent access, followed by the deployment of a Go-based backdoor named Zingdoor and the ShadowPad Trojan, both of which facilitate remote command execution and data exfiltration. Storm-2603, a financially motivated group, was observed deploying ransomware such as LockBit Black and WarLock/X2anylock by exploiting the same set of SharePoint vulnerabilities, with major activity noted on July 18, 2025. Their operations targeted organizations in Latin America and the APAC region, using a combination of public-facing application exploits and legitimate tools like PsExec for lateral movement and execution. The attacks highlight the critical risk posed by unpatched SharePoint servers, as attackers were able to gain initial access, establish persistence, and deploy sophisticated malware and ransomware payloads. The campaigns demonstrate a high level of coordination and technical capability, leveraging zero-day exploits and advanced post-exploitation techniques. The breach of the National Nuclear Security Administration’s Kansas City National Security Campus further underscores the severity of these attacks, as foreign actors exploited the same SharePoint vulnerabilities to infiltrate a facility responsible for manufacturing critical components for US nuclear weapons. The incident at the Kansas City plant raised significant concerns about the security of federal IT and OT systems, especially those supporting national security functions. Despite the high-profile nature of the targets, responses from affected organizations and government agencies have been limited, with some declining to comment on the incidents. The rapid release of patches by Microsoft and the subsequent widespread exploitation illustrate the importance of timely vulnerability management and the need for robust security controls around public-facing applications. Security researchers have emphasized the necessity for organizations to validate their defenses against these specific TTPs and to continuously monitor for signs of compromise related to the ToolShell exploit. The attacks serve as a stark reminder of the persistent threat posed by state-linked actors and the critical importance of securing enterprise collaboration platforms like SharePoint.
Apr 9, 2026
ToolShell Exploit Drives Surge in Attacks on Microsoft SharePoint Servers
A significant increase in attacks targeting public-facing applications has been attributed to the exploitation of the ToolShell vulnerability in on-premises Microsoft SharePoint servers. According to Cisco's latest Quarterly Trends report, over 60% of recent Talos Incident Response cases involved attacks on public-facing applications, with nearly 40% specifically linked to ToolShell activity. The surge is tied to two major SharePoint vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which have been actively exploited since mid-July 2025. China-based threat groups Linen Typhoon and Violet Typhoon have been identified as the primary actors behind these campaigns, focusing on sectors such as government, defense, academia, and nonprofits. The majority of incident response engagements related to ToolShell began within ten days of the vulnerabilities' disclosure, underscoring the rapid weaponization and exploitation by threat actors. Security experts warn that unpatched SharePoint servers present a critical risk, enabling attackers to move laterally within networks and potentially deploy ransomware. Cisco emphasizes the importance of robust network segmentation and timely patching to mitigate these threats. The exploitation of ToolShell highlights the ongoing challenges organizations face in defending public-facing applications and the need for proactive vulnerability management to prevent large-scale compromise and operational disruption.
Mar 21, 2026
Microsoft SharePoint Flaws Expose Internet-Facing Servers to Spoofing and RCE Risk
More than **1,370 internet-facing Microsoft SharePoint servers** were reported exposed to active exploitation of **`CVE-2026-32201`**, a spoofing vulnerability affecting SharePoint Server 2016, 2019, and Subscription Edition. Microsoft disclosed the flaw in April and CISA added it to the **Known Exploited Vulnerabilities** catalog the same day, underscoring the urgency for defenders. Although Microsoft scored the bug at **CVSS 6.5**, the risk is elevated because it can be exploited **remotely without authentication** against exposed on-premises deployments, potentially allowing attackers to impersonate users, access or alter sensitive content, steal credentials, and move laterally inside victim environments. The exposure comes amid broader concern over SharePoint security, including Microsoft's disclosure of **`CVE-2026-26106`**, a **remote code execution** vulnerability in SharePoint Server, and earlier reporting that a **China-linked threat actor** was involved in SharePoint attacks, according to Mandiant. The concentration of exposed systems was highest in the **United States**, and the combined reporting points to sustained attacker interest in SharePoint as a route into enterprise networks. Organizations were urged to apply Microsoft's available updates, reduce direct internet exposure of SharePoint servers, and closely monitor authentication and document-access activity for signs of compromise.
May 25, 2026