Hackers believed to be associated with China have leveraged the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint in attacks targeting government agencies, universities, telecommunication service providers, and finance organizations.
The security flaw affects on-premise SharePoint servers and was disclosed as an actively exploited zero-day on July 20, after multiple hacking groups tied to China leveraged it in widespread attacks. Microsoft released emergency updates the following day.
The issue is a bypass for CVE-2025-49706 and CVE-2025-49704, two flaws that Viettel Cyber Security researchers had demonstrated at the Pwn2Own Berlin hacking competition in May, and can be leveraged remotely without authentication for code execution and full access to the file system.
Microsoft previously said that ToolShell was exploited by three Chinese threat groups, Budworm/Linen Typhoon, Sheathminer/Violet Typhoon, and Storm-2603/Warlock ransomware.
In a report today, cybersecurity company Symantec, part of Broadcom, says that ToolShell was used to compromise various organizations in the Middle East, South America, the U.S., and Africa, and the campaigns leveraged malware typically associated with the Salt Typhoon Chinese hackers:
A telecommunications service provider in the Middle East
Two government departments in an African country
Two government agencies in South America
A university in the United States
A state technology agency in Africa
... continue reading