More information has emerged on the recent ToolShell zero-day attacks targeting Microsoft SharePoint Server instances, including on impacted organizations, the number of compromised servers, and the threat actors exploiting the vulnerabilities.
News of the ToolShell attacks emerged over the weekend, when Microsoft and security firms warned that SharePoint zero-day vulnerabilities had been exploited to hack servers. The tech giant rushed to release patches for impacted SharePoint versions that are still supported, but initially only mitigations were available and those have since been bypassed.
The first public reports of attacks were triggered by exploitation attempts seen on July 18, but Microsoft revealed on July 22 that it had found evidence of ToolShell exploitation commencing on July 7, roughly one week before researchers warned of the potential impact of the vulnerabilities.
Microsoft has seen attacks conducted by two Chinese state-sponsored cyberespionage groups, named Linen Typhoon and Violet Typhoon.
The company has also seen attack attempts by a threat actor it tracks as Storm-2603. This group, which Microsoft has linked to China with moderate confidence, has been observed deploying ransomware in ToolShell attacks conducted since July 18.
“Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives,” the company said on Wednesday.
Over 400 SharePoint Server instances hacked; US government victims are named
Eye Security, the first cybersecurity firm to report seeing attacks, revealed on Wednesday that its researchers have scanned more than 23,000 SharePoint servers and determined that at least 400 of them were compromised across four attack waves carried out on July 17, July 18, July 19 and July 21.
Cybersecurity companies reported within days of the ToolShell attacks coming to light that US government agencies had been among the victims.
Several mainstream media publications have reported learning from sources that government organizations had been targeted, but the numbers range from four to over a dozen impacted agencies.
Some publications have named impacted agencies based on information from their sources. Nextgov learned that the Department of Homeland Security (DHS) was impacted, while Bloomberg learned that the Energy Department’s National Nuclear Security Administration was breached in a ToolShell attack, as well as the Education Department and some state government agencies.
The Washington Post reported that the Department of Health and Human Services’ National Institutes of Health (NIH) was also hit.
The scope of most of these breaches is still being assessed, the publications learned from sources, but the Nuclear Security Administration said it had found no evidence of sensitive or classified information getting compromised.
Confusion remains over which SharePoint vulnerabilities have been exploited
When news of the SharePoint zero-day attacks broke, it was widely reported that a remote code execution vulnerability tracked as CVE-2025-53770 has been exploited. It later came to light that it may have been chained with a spoofing flaw, CVE-2025-53771.
CVE-2025-53770 and CVE-2025-53771 have been assigned by Microsoft as a result of patches for CVE-2025-49706 and CVE-2025-49704 being bypassed. CVE-2025-49706 and CVE-2025-49704 were disclosed in May at the Pwn2Own hacking competition and they were patched by Microsoft on July 8.
In its blog post, Microsoft says it has seen exploitation of CVE-2025-49706 and CVE-2025-49704. However, the company’s advisories for these vulnerabilities, as well as for CVE-2025-53771, do not mention in-the-wild exploitation.
SecurityWeek has reached out to Microsoft and several cybersecurity firms for clarifications and to date only WatchTowr has confirmed seeing exploitation of both CVE-2025-53770 and CVE-2025-53771.
Several major companies, including Palo Alto Networks, SentinelOne, Google, Trend Micro, and CrowdStrike, could not confirm exploitation of CVE-2025-53771, despite some of their blog posts suggesting it.
Microsoft has refused to share any clarifications, but its latest blog post indicates that CVE-2025-53770 allows both authentication bypass and remote code execution, which would explain why CVE-2025-53771 may not be needed in attacks.
Related: Critical Vulnerabilities Patched in Sophos Firewall
Related: Hackers Start Exploiting Critical Cisco ISE Vulnerabilities
