Microsoft says Chinese threat actors started exploiting SharePoint zero-day vulnerabilities weeks before they were patched. However, details shared by the tech giant bring further confusion as to exactly which CVEs have been exploited.
An analysis conducted by the tech giant found that exploitation of the SharePoint zero-days named ToolShell started as early as July 7. The first public reports of attacks were triggered by exploitation attempts seen on July 18.
Some members of the cybersecurity industry have already attributed the first wave of ToolShell attacks to China, saying that high-value targets in various sectors had been hit.
However, Microsoft’s timeline suggests that Chinese hackers had known about the potential impact and value of the vulnerabilities much earlier than previously believed.
According to Microsoft, two Chinese state-sponsored threat actors tracked as Linen Typhoon and Violet Typhoon have attempted to use the ToolShell vulnerabilities for initial access. In addition, the company has seen a third threat group — named Storm-2603 and linked to China with medium confidence — conducting zero-day attacks.
Linen Typhoon has been around since 2012, stealing intellectual property from organizations in the defense, government, human rights and strategic planning sectors. Violet Typhoon is a cyberespionage group that has been around for a decade, targeting former military and government personnel, NGOs, universities, media companies, think tanks, financial firms, and other organizations in the US, Europe and East Asia.
In the ToolShell attacks seen by Microsoft, the hackers exploited vulnerabilities to bypass authentication and execute code on vulnerable on-premises SharePoint servers. The attackers then deployed a web shell that enabled the theft of machine keys and persistent access to the compromised system.
“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” Microsoft said.
While Microsoft has shared some information on who was behind the zero-day attacks, its blog post brings further confusion in terms of which vulnerabilities have been exploited.
ToolShell is the name assigned to two SharePoint vulnerabilities, CVE-2025-49706 (spoofing issue) and CVE-2025-49704 (remote code execution flaw), whose existence was reported to Microsoft in May by researchers at the Pwn2Own Berlin hacking competition.
Microsoft fixed CVE-2025-49706 and CVE-2025-49704 with its July 2025 Patch Tuesday updates, and a few days later other researchers reproduced the exploit chain and dubbed it ToolShell.
When news of zero-day attacks broke, it had been reported by Microsoft and others that threat actors had targeted CVE-2025-53770, a CVE assigned to address a potential bypass of CVE-2025-49704. In addition, Microsoft assigned CVE-2025-53771 to address a bypass of CVE-2025-49706. The new CVEs were patched in impacted SharePoint versions in recent days.
Microsoft’s latest blog post says the attacks conducted by the Chinese hackers exploited CVE-2025-49706 and CVE-2025-49704 and does not clearly state that CVE-2025-53770 and CVE-2025-53771 have also been exploited.
Some cybersecurity firms suggest that they have seen attacks chaining CVE-2025-53770 and CVE-2025-53771, while others, including Microsoft, have failed to confirm chaining.
At the time of writing, Microsoft’s official advisories only list CVE-2025-53770 as being exploited, while CVE-2025-49706, CVE-2025-49704 and CVE-2025-53771 are not flagged as exploited in the wild.
In addition, Microsoft’s latest blog post indicates that CVE-2025-53770 allows both authentication bypass and remote code execution, which would suggest that CVE-2025-53771 is not needed for an exploit chain.
The only cybersecurity firm that to date has confirmed for SecurityWeek that CVE-2025-53770 and CVE-2025-53771 have been chained in ToolShell attacks is WatchTowr.
The company not only confirmed chaining, but on Tuesday reported that it had found a way to exploit CVE-2025-53770 in a way that bypasses Antimalware Scan Interface (AMSI), the mitigation recommended by Microsoft to customers who cannot immediately apply the patches. This was also the mitigation recommended before patches were released for CVE-2025-53770 and CVE-2025-53771.
“AMSI was never a silver bullet, and this outcome was inevitable. But we’re concerned to hear that some organizations are choosing to ‘enable AMSI’ instead of patching. This is a very bad idea,” said WatchTowr CEO Benjamin Harris.
“Now that exploitation has been linked to nation-state actors, it would be naive to think they could leverage a SharePoint zero-day but somehow not bypass AMSI. Organizations must patch. Should go without saying – all the public PoCs will trigger AMSI, and mislead organizations into believing the mitigations are comprehensive/the host is no longer vulnerable. This would be incorrect,” Harris added.
More than 9,000 SharePoint instances were exposed to the web when news of the attacks broke, and hundreds of them were targeted in the first days.
Related: Microsoft Patches ‘ToolShell’ Zero-Days Exploited to Hack SharePoint Servers
Related: ToolShell Zero-Day Attacks on SharePoint: First Wave Linked to China, Hit High-Value Targets
