Government authorities and cybersecurity teams around the world are responding to a wave of cyberattacks targeting critical vulnerabilities in Microsoft SharePoint.
The attack wave began in early July before rapidly escalating late last week, affecting important systems at government agencies, critical infrastructure providers and other SharePoint customers.
The intrusions are exploiting ToolShell, an attack sequence that combines remote code injection and network spoofing vulnerabilities tracked as CVE-2025-49704 and CVE-2025-49706.
Researcher Khoa Dinh originally discovered the attack chain, and earlier this month, Code White GmbH was able to reproduce the attack chain.
The attacks appear to have escalated because Microsoft released incomplete patches for the initial vulnerabilities, according to Benjamin Harris, CEO of watchTowr.
After researchers alerted Microsoft to exploitation of the flaws, the company late last week released an urgent advisory and disclosed a vulnerability tracked as CVE-2025-53770, which involves deserialization of untrusted data. Microsoft also announced a path-traversal vulnerability tracked as CVE-2025-53771.
The attacks have compromised Microsoft SharePoint customers worldwide, with the Shadowserver Foundation reporting at least three hundred confirmed compromises.
Shadowserver, citing data from LeakIX, also reports that there were 424 SharePoint IPs confirmed to be vulnerable as of Wednesday. Researchers from Censys say they have identified 9,717 on-premises SharePoint servers that are exposed.
Government impacts
CISA has been investigating reports that the hacks have compromised multiple federal agencies and state and local government entities.
“CISA has been working around the clock with Microsoft, impacted agencies, and critical infrastructure partners to share actionable information, apply mitigation efforts, implement protective measures, and assess preventative measures to shield from future attacks,” a Department of Homeland Security spokesperson told Cybersecurity Dive on Thursday.
The Department of Energy has confirmed that it was hacked, with the intrusion affecting DOE components including the National Nuclear Security Administration, the agency that manages the nation’s nuclear-weapons stockpile.
DHS also confirmed that it was hacked, although it said there is no evidence that the hackers exfiltrated data from any of its components.
The Washington Post reported that hackers also compromised the Department of Health and Human Services. HHS told Cybersecurity Dive it is actively “monitoring, identifying and mitigating all risks” associated with the SharePoint vulnerability but did not provide additional details.
Who is behind the attacks
Microsoft has identified two China-backed nation-state actors, Linen Typhoon and Violet Typhoon, participating in the initial attack wave. Researchers have concluded that exploitation began as early as July 7.
Linen Typhoon, which has been active since 2012, has focused on stealing intellectual property and has targeted governments, defense contractors and human-rights groups. Violet Typhoon, which has been active since 2015, is an espionage actor focused mainly on non-governmental organizations, higher education, media and finance companies in the U.S., Europe and East Asia.
Microsoft has said that a third China-based attacker, which it tracks as Storm-2603, has been conducting ransomware attacks with the SharePoint flaws. That hacker group, which has deployed Warlock and LockBit ransomware in the past, has been using the SharePoint vulnerabilities to conduct ransomware intrusions since July 18, according to Microsoft. The group has also been using the SharePoint flaws to try to steal Machine Keys, which would allow access to computer systems after they are patched.
Other groups are likely to take advantage of the flaws in the near future, Google researchers said, and some may have begun doing so.
Mitigation
Microsoft has released security updates that it says will fully protect customers against CVE-2025-53770 and CVE-2025-53771. Supported products include SharePoint 2016, 2019 and SharePoint Subscription Edition.
The company said its customers should configure Antimalware Scan Interface integration and, after completing the upgrades, rotate SharePoint Server ASP.NET Machine Keys and restart Internet Information Services on all SharePoint servers. Google researchers said hackers stole Machine Keys in the early phase of attacks.
Researchers at Rapid7 have also posted an exploit module on GitHub, for CVE-2025-53770 and CVE-2025-53371, which will help security teams test their environments.
“With mass exploitation currently occurring, defenders should take immediate action for any SharePoint servers in their environments,” Stephen Fewer, principal security researcher at Rapid7, said. “We recommend applying the vendor patches on an emergency basis, without waiting for a regular patch cycle to occur.”
