Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime,
Governance & Risk Management
Security Researchers Warn of Widespread Access to Exploit Code by Diverse Hacking Groups
Recent assessments indicate that hackers have been exploiting zero-day vulnerabilities in Microsoft SharePoint, primarily to steal cryptographic data that could allow continued access to affected servers even after patches are applied. This insight comes from security experts who have linked this malicious activity to state-sponsored groups based in China.
Microsoft is working swiftly to release emergency patches aimed at mitigating the exploit chain known as ToolShell, which has targeted on-premises versions of SharePoint. It is important to note that SharePoint Online within Microsoft 365 remains unaffected. As of now, patches for all supported SharePoint server versions—Subscription Edition, 2019, and 2016—are available, addressing vulnerabilities identified as CVE-2025-53770 and CVE-2025-53771.
Despite the release of these patches, Microsoft emphasizes the necessity of additional actions, such as rotating cryptographic keys, to fully eliminate attackers from compromised systems. The urgency is underscored by reports of active exploitation of these vulnerabilities, which were first identified in a series of covert operations believed to be orchestrated by Chinese hackers aligned with groups like Linen Typhoon and Violet Typhoon.
Recent findings from cybersecurity firm Eye Security confirmed the occurrence of sequential attack waves related to ToolShell shortly after proof-of-concept exploit code was made public. The firm has reported several systems falling prey to these targeted exploits. Furthermore, Rapid7’s analysis indicates a deliberate campaign to exploit these vulnerabilities, suggesting a strategy aimed at long-term persistence post-patching.
In addition, experts from the Mandiant division of Google Cloud caution that the stolen cryptographic materials could potentially grant continued access to victimized environments even after remediation efforts. SharePoint’s deep integration with other Microsoft services amplifies the risk, as a breach could lead to extensive network compromise. Various actors, some driven by geopolitical motivations, are anticipated to continue exploiting these vulnerabilities, posing a significant risk to organizations worldwide.
Recommended Mitigation Strategies
In light of these developments, Microsoft, alongside the U.S. Cybersecurity and Infrastructure Security Agency, has issued critical recommendations. All users of on-premises SharePoint servers are advised to immediately deploy Microsoft’s emergency patches, rotate machine keys, and reinforce their security controls. Additionally, implementing the Antimalware Scan Interface (AMSI) in SharePoint is recommended to bolster defenses against malware, although experts caution that merely enabling AMSI without applying patches is insufficient against determined attackers.
As organizations navigate these escalating cybersecurity threats, vigilance and proactive measures remain essential in protecting against sophisticated exploits that target critical infrastructure and sensitive information.
