Chinese State Actors Exploit Critical SharePoint Zero-Day Vulnerabilities in Global Attack Campaign

A massive cyber attack campaign dubbed "ToolShell" has compromised over 100 organizations worldwide through critical zero-day vulnerabilities that require immediate attention. Microsoft confirmed Chinese state-sponsored groups are behind the attacks that targeted government agencies, universities, and critical infrastructure operators.

The campaign, which began around July 7th, 2025, exploits two severe vulnerabilities (CVE-2025-53770 and CVE-2025-53771) that allow attackers to gain unauthorized remote access and impersonate legitimate SharePoint servers.

Devastating Impact and Attack Method

The attackers, identified as Linen Typhoon, Violet Typhoon, and Storm-2603, used a sophisticated attack chain combining authentication bypass and remote code execution capabilities. By exploiting these flaws, they deployed advanced malicious software and web shells to steal cryptographic keys and maintain persistent access to compromised systems.

"This level of access sets up attackers to achieve persistence through backdoors and pivot into other parts of the environment," explained Trey Ford, CISO at Bugcrowd.

The campaign has primarily affected organizations across North America, Western Europe, and Asia that rely on on-premises SharePoint for collaboration and document storage.

Response and Mitigation Strategies

Microsoft has released emergency patches for all supported SharePoint Server versions, while CISA urges immediate action from affected organizations. Key recommended steps include:

• Applying the latest security patches immediately
• Rotating ASP.NET MachineKeys
• Restarting IIS web server services
• Enabling AMSI in Full Mode
• Implementing endpoint protection software
• Restricting access to external-facing SharePoint servers

Enhanced Security Measures

Organizations should implement robust cybersecurity protocols to protect critical infrastructure. Additional recommended security measures include:

• Conducting regular security audits
• Implementing multi-factor authentication
• Establishing incident response procedures
• Monitoring network traffic for suspicious activities
• Regular employee security training

For more detailed guidance, organizations can refer to Microsoft's Security Response Center.

Long-term Security Implications

Security experts emphasize that traditional patch management alone isn't sufficient protection against sophisticated attacks like ToolShell. Dana Simberkoff, Chief Risk Officer at AvePoint, advocates for a more comprehensive approach: "Modern software vulnerabilities are an unfortunate reality, but the real issue isn't just that flaws exist—it's how quickly organizations can detect, patch, and recover from them."

Industry Impact Assessment

The ToolShell campaign has highlighted critical vulnerabilities in enterprise collaboration systems. Organizations must prioritize:

• Continuous Monitoring: Implementing advanced threat detection systems
• Rapid Response: Developing efficient incident response protocols
• System Hardening: Strengthening security configurations across all SharePoint instances
• Access Control: Implementing strict authentication measures