An as-yet unnamed Chinese state threat actor appears to be among those exploiting CVE-2025-53770 (aka ToolShell), a remote code execution vulnerability in Microsoft SharePoint, to conduct cyber attacks, according to intelligence.
Since it emerged over the weekend of 19-20 July, the highly publicised nature of CVE-2025-53770, which bypasses two previously patched flaws, has drawn the attention of threat actors thanks to the considerable danger it poses, and the fact that Microsoft’s patch cannot and does not fully mitigate this.
Charles Carmakal, chief technology officer of Mandiant Consulting at Google Cloud, said the organisation has been tracking a variety of groups probing and attacking SharePoint instances around the world.
“We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor,” he said. “It’s critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well.”
Sharing his thoughts on LinkedIn, Carmakal said he was experiencing a sense of déjà vu from March 2021, when a series of attacks on Microsoft Exchange Server linked to three zero-day exploits was used by China’s Silk Typhoon (aka APT27, Hafnium) advanced persistent threat (APT) group to hit thousands of victims.
Carmakal reiterated general advice to not only patch CVE-2025-53770 – and the closely linked CVE-2025-53771 – right away, but to also rotate SharePoint ASP.NET machine keys as a matter of urgency, as these will likely have been stolen in any intrusions and can be used against potential victims even if they have patched.
He added that defenders should prepare for a lot of noisy security logs with multiple discrete sets of activity targeting their SharePoint instances. Some of this would undoubtedly be malicious, he said, but some of it may be legitimate security researchers working the problem.
In the past few hours, Microsoft has also released fixes covering all supported versions of SharePoint, which had not previously been available. More information is available from the source here.
Worldwide scope
Backing up Mandiant’s assessment, Bitdefender researchers said their managed detection and response tech and telemetry lab research is showing compromises occurring across Europe, the Middle East and North America.
“Bitdefender warns that ransomware or other post-exploitation activity may follow days or weeks after initial access, making swift detection and response essential,” said a spokesperson.
SentinelOne told Computer Weekly it was tracking three distinct attack clusters targeting SharePoint – hands-on webshell access, credential harvesting via machine key extraction, and more stealthy, fileless in-memory execution.
Its researchers reported victims in critical industries, including infrastructure, technology and engineering, and backed up Mandiant’s assessment that nation-state actors have weaponised the flaw. The SentinelOne team said they had observed multiple nation-state aligned actors now engaging in recon and early stage exploitation.
“The early targets suggest that the activity was initially carefully selective, aimed at organisations with strategic value or elevated access,” wrote SentinelOne researchers Simon Kenin, Jim Walter and Tom Hegel.
“Activity following the public disclosure is opportunistic and likely unrelated to the original we describe here,” they said. “We expect broader exploitation attempts to accelerate.”
According to their analysis, threat actors are also standing up decoy honeypot environments to collect and test exploit implementations, and are sharing tooling and tradecraft among themselves.
We will all pay the price
Although victims of the current wave of attacks are yet to become publicly known, Marijus Briedis, chief technology officer at NordVPN, said that eventually, ordinary people – many of whom have never heard of SharePoint – will suffer the consequences of such widespread issues.
“When your employer, bank or healthcare provider gets hit through SharePoint, the consumer pays the price,” he said.
“SharePoint servers often connect to other Microsoft services such as Outlook and Teams, meaning such a breach can quickly lead to data theft and password harvesting. Emails, financial records and medical data are interconnected, and once attackers are inside, they’re harvesting everything.”
Briedis said consumers cannot rely on organisations to protect their data, and urged people to take steps to secure themselves.
“Use strong, unique passwords and enable multi-factor authentication wherever possible, because assuming your data will eventually be breached is the only realistic approach,” he added.
Microsoft has been contacted for comment.
