Microsoft Details SharePoint Server ‘ToolShell’ Attacks, Issues Patches: Here’s What To Know
Chinese nation-state threat actors were exploiting the vulnerabilities, Microsoft said.
Active attacks targeted on-premises SharePoint servers, Microsoft warned in a blog post on July 19.
The attacks exploited CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, Microsoft said.
Patches for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016 have been released.
In a later blog post on Tuesday, Microsoft went into more detail about the attacks:
“Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems.”
The vulnerabilities do not affect SharePoint Online in Microsoft 365.
Cybersecurity firm Black Kite delved into the technical aspects of the vulnerabilities in its own blog post.
“Dubbed ToolShell, this attack chain centers around CVE-2025-53770, a critical unauthenticated Remote Code Execution (RCE) vulnerability, and its counterpart CVE-2025-53771, a high-severity path traversal flaw. Together, these flaws give attackers a clean slate: no password guessing, no firewall breaches, yet full control. They can plant a web shell, steal cryptographic machine keys, forge trusted ViewState, and run arbitrary code, all in a single, silent operation. No user is ever touched,” Black Kite researchers posted.
Ferdi Gül, senior vulnerability researcher at Black Kite, offered some additional insight, calling the SharePoint CVE-2025-53770 vulnerability “the kind of vulnerability that makes me pause,” in an email statement shared with MES Computing, “[n]ot because it’s flashy, but because of how quietly it works.”
“One unauthenticated request to a SharePoint endpoint, and attackers can run arbitrary code as SYSTEM. No phishing. No credentials. No interaction. We started seeing in-the-wild exploitation by July 18. Microsoft moved fast and published the CVE a day later, and released fixes for SE, 2019, and even 2016 by July 21. But in many environments, that window was enough. It's already listed in CISA's KEV catalog, which tells us that attackers are already beyond experimentation. They're succeeding. In my view, this is a case study in how internal application logic can be turned into a weapon. And because it targets SharePoint, a system that sits at the center of document collaboration for so many enterprises, the blast radius is potentially huge,” he added.
He also offered advice: “If you're still running unpatched SharePoint, now is the time to act. Patch first. Then rotate your machine keys. If patching isn't an option yet, lock down access to ToolShell endpoints and watch your logs. In incidents like this, response speed matters. But visibility matters more. Because exploitation doesn't always come through the front door. Sometimes, it's the admin page no one thought to monitor."