Mobilizing Rapid Response To The SharePoint Crisis

Background 

Since mid-July, widespread exploitation of two chained zero-day vulnerabilities in Microsoft SharePoint has been observed in the wild and leveraged against on-prem servers: a remote code execution (RCE) flaw (CVE-2025-53770) and an authentication bypass issue (CVE-2025-53771). SharePoint Online in Microsoft 365 seems to be unaffected. 

The exact number of impacted organizations remains unclear, estimated to be anywhere between several dozen to a few hundred so far. High-value organizations and critical infrastructure are increasingly under attack, including the U.S. National Nuclear Security Administration, various government agencies, and academic institutions. The majority of early victims appear to be located in the United States and Europe.

It also appears that multiple threat actors are involved, either operating independently or in coordination. Thus far, Microsoft has identified three distinct Chinese state-sponsored groups. The first is Violet Typhoon (also known as APT31 or Zirconium), a well-established group linked to China’s Ministry of State Security, known for targeting media outlets and non-governmental organizations (NGOs), and for attempting to steal COVID-19 vaccine research from biomedical companies. The second is Linen Typhoon (also referred to as APT27 or Emissary Panda), a notorious actor typically focused on government entities, defense contractors, and human rights organizations. The third, Storm-2603, remains largely uncharacterized and does not appear to be directly affiliated with either Violet Typhoon or Linen Typhoon.

The compromised servers have been infected with ToolShell, a previously undocumented backdoor designed to enable remote command execution and establish long-term persistence on the target system. As a result of the intrusion, attackers gained full access to SharePoint’s file systems and configurations. There is also evidence suggesting attempts to exfiltrate ASP.NET machine keys, potentially enabling evasion from detection and continued impersonation or unauthorized access even after patching.

The more serious vulnerability is CVE-2025-53770. With the combination of its critical severity (CVSS v3.1 score of 9.8) and ease of exploitation by skilled attackers, this vulnerability is exceptionally dangerous. Since it arises from how SharePoint deserializes untrusted objects sent in HTTP requests without proper validation, an attacker crafting a single malicious web request might then be able to execute any command or program on the compromised system, including uploading web shells, stealing cryptographic keys, or moving laterally within the network.

In any case, the two exploited CVEs appear to be variants or patch bypasses of earlier SharePoint vulnerabilities (CVE-2025-49704 and CVE-2025-49706), whose exploit chain was demonstrated during the Pwn2Own competition in May 2025. These original flaws have also been leveraged in the current campaign. However, some cybersecurity vendors maintain that definitive evidence confirming the exploitation of the CVE-2025-53771 and CVE-2025-49706 combination is still lacking.

Microsoft initially addressed the earlier vulnerabilities in its July 8 Patch Tuesday update. Nonetheless, due to incomplete coverage, the company released an emergency patch on July 20–21, incorporating what it described as "more robust protections." Older versions (SharePoint 2010 and 2013) were not fixed as they are out of support. 

Mitigations

The vulnerabilities used in the ToolShell campaign are extremely serious and should be patched immediately. 

While awaiting patching, affected organizations should apply Microsoft’s recommendations: enable the AMSI (Anti-Malware Scan Interface) integration feature in Full Mode and deploy Microsoft Defender across SharePoint servers. VERY IMPORTANTLY, Microsoft also urges customers to rotate ASP.NET Machine Keys, as attackers are stealing ValidationKey and DecryptionKey stored in SharePoint’s web.config. This will prevent attackers from using stolen keys to forge authentication tokens and maintain persistence after patching.

Furthermore, organizations should leverage detection and protection rules already provided by various cybersecurity vendors and configure them accordingly. For example: set Trend Micro Apex One intrusion prevention rule "1012390” in block mode; make sure to use Cortex XDR agents version 8.7 with content version 1870-19884 or 1880-19902; and enforce CheckPoint IPS Package 635254838. More generic behavior-based features, such as Crowdstrike Insight XDR’s “Abnormal process behavior” feature, are also useful. 

Last but not least, it is important to block access from IP addresses eventually exploiting the flaws. The Research Team at Zafran Security have identified three malicious IPs currently attempting to exploit CVE-2025-53771 (as of July 23):  

• 209.38.89[.]80
• 170.64.145[.]178
• 170.64.152[.]118

Furthermore, some other IP addresses which have been identified as connected to the campaign are: 

• 134.199.202[.]205
• 104.238.159[.]149
• 188.130.206[.]168
• 131.226.2[.]6 
• 107.191.58[.]76
• 104.238.159[.]149
• 96.9.125[.]147

How can Zafran help? 

Zafran plays a critical role in mitigating risks like those presented by the ToolShell campaign by enabling organizations to proactively identify and remediate exploitable vulnerabilities across their environment before adversaries can act. The Zafran Threat Exposure Management Platform automatically identifies control mitigations such as those outlined above to defuse vulnerabilities ahead of patch cycles.

In response to the SharePoint zero-day vulnerabilities, Zafran enables cybersecurity managers to conduct internal exposure analysis to identify unpatched SharePoint instances and prioritize those exposed to the internet. The platform also simplifies and accelerates the workflow for applying security fixes, helping to make the patching process more efficient. For assets yet to be patched, Zafran verifies that appropriate security tool protections are in place, and if any gaps are found, it provides immediate recommendations to strengthen configurations and reduce the risk of exploitation.