A massive exposure of Microsoft SharePoint servers to internet-based attacks has been identified, with over 17,000 servers exposed and 840 specifically vulnerable to the critical zero-day vulnerability CVE-2025-53770, according to new findings from Shadowserver Foundation. The vulnerability, dubbed “ToolShell” by researchers, carries a critical CVSS score of 9.8 and allows unauthenticated attackers to execute arbitrary code remotely on on-premises SharePoint servers. Several U.S. federal agencies have been confirmed as victims, including the Department of Energy’s National Nuclear Security Administration, the Department of Homeland Security, the Department of Health and Human Services, and the Department of Education. Eye Security, which first reported the attacks on July 18, has confirmed over 400 victim organizations across multiple sectors, including government, healthcare, finance, and education. Storm-2603, one of the Chinese groups involved, has been observed deploying Warlock ransomware on compromised systems, escalating the threat beyond data theft to operational disruption. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. SharePoint situational update: In collaboration with @ValidinLLC & @certbund we improved vhost & version detection of SharePoint instances, resulting in ~17K IPs observed exposed. Organizations must rotate machine keys, enable Anti-Malware Scan Interface (AMSI), and conduct thorough security assessments. Microsoft has attributed the attacks to three Chinese threat actors: Linen Typhoon (APT27), Violet Typhoon (APT31), and Storm-2603. Attackers send crafted POST requests to SharePoint’s ToolPane endpoint, deploying malicious webshells typically named “spinstall0.aspx” and variants.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 31 Jul 2025 14:35:34 +0000