While multiple attackers are now actively exploiting vulnerable on-premises SharePoint servers, Google Cloud-owned Mandiant assesses that ‘at least one’ is based in China.
Among the attackers now actively exploiting vulnerable on-premises Microsoft SharePoint servers, at least one has shown indications of originating from China, according to the assessment of Mandiant researchers.
The ongoing wave of attacks, known as “ToolShell,” has involved exploitation of a critical zero-day vulnerability in on-premises Microsoft SharePoint Server systems. Researchers have estimated that at least several hundred organizations have been compromised so far, reportedly including U.S. government agencies, educational institutions and organizations that manage critical infrastructure.
[Related: ‘Patching Is Not Enough’ With Microsoft SharePoint Server Attacks: Experts]
Charles Carmakal, CTO at Google Cloud-owned Mandiant Consulting, disclosed Monday that while multiple threat actors have been involved in the compromises so far, indications of involvement originating from China have been observed.
“We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor,” Carmakal said in a statement provided by email.
“It’s critical to understand that multiple actors are now actively exploiting this vulnerability,” he said in the statement. “We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well.”
In addition to nation-state attackers, security researchers suggested to CRN Monday that it’s likely that financially motivated threat actors are also seeking to exploit the critical SharePoint vulnerability.
The “ToolShell” cyberattack campaign involves exploitation of on-premises Microsoft SharePoint Servers using a critical-severity remote code execution vulnerability (tracked at CVE-2025-53770) chained to a spoofing vulnerability (tracked at CVE-2025-53771).
Microsoft has released emergency patches to address the vulnerabilities in the SharePoint Server Subscription Edition and SharePoint Server 2019.
As of this writing, patches were not yet available for Microsoft SharePoint Server 2016. The company said in the customer guidance advisory that it is working on the SharePoint Server 2016 fixes.
The flaws do not impact SharePoint Online in Microsoft 365, Microsoft has said.
In its customer guidance advisory posted online, Microsoft called it “critical” that customers rotate their SharePoint server keys, known as ASP.NET machine keys, in addition to patching.
“If you don’t rotate those keys, even if you patch the server, then that attacker still has access,” said Nick Hyatt, senior threat intelligence analyst at GuidePoint Security, in an interview with CRN Monday.
A researcher at cybersecurity vendor watchTowr, Ryan Dewhurst, said in an email to CRN Monday that the attacks have led to “widespread impact across hundreds of organizations—including those that many would consider ‘incredibly sensitive.’”
“We’re fairly certain it’s for once acceptable to call this a close-to-worst-case scenario,” said Dewhurst, head of proactive threat intelligence at watchTowr, in the email.
Attacks have been underway since at least July 17, with most of the activity impacting the U.S., Germany, France and Australia, he said.
