Nation-State Actors Weaponize New SharePoint Exploits in Multi-Wave Campaign

On July 18, 2025, researchers at Eye Security observed a new unauthenticated remote code execution exploit being used to compromise on-premises Microsoft SharePoint servers, dubbed Toolshell by Code White GmbH. The attack targeted nearly 400 servers in the initial wave and continued in subsequent waves, utilizing malicious ASPX backdoors to extract cryptographic MachineKeys for persistent access.

These vulnerabilities enable attackers to gain administrative access, deploy web shells, extract sensitive information, and maintain long-term control of infected SharePoint environments.

ToolShell chains together several flaws:

CVE‑2025‑49706: an authentication bypass (CVSS 6.5)
CVE‑2025‑49704: a code injection bug (CVSS 8.8)
CVE‑2025‑53770: a deserialization vulnerability (CVSS 9.8)
CVE‑2025‑53771: a path traversal bypass (CVSS 6.5)

Microsoft attributed activity to multiple nation-state actors, including Storm‑2603, Violet Typhoon (AKA APT31), and Linen Typhoon (AKA APT27), with targets spanning U.S. government agencies, universities, telecommunications, and energy firms. Attacks ramped up in mid-July and have continued into late July, often bypassing early mitigations.

Several of the IP addresses listed below (Table 2) have multiple exploitable vulnerabilities, which would further the theory that attackers used these already compromised systems to launch their attacks against SharePoint Servers. For instance:

Augur identified the IP address 95.179.158[.]42 as malicious more than 360 days ago.

‍

**Table 1**: IOC identified by Augur more than 360 days ago

‍

**Table 2**: IOCs of Vulnerable Servers Used to Attack SharePoint Servers

‍

**Table 3**: Malicious File Hashes Related to ToolShell (web shells, PowerShell script)

‍

Recommendations

Install patches for CVE-2025-53770 and CVE-2025-53771 immediately
Run SharePoint Server 2016, 2019, or Subscription Edition
Turn on Antimalware Scan Interface in Full Mode and deploy Microsoft Defender Antivirus
If AMSI can’t be enabled, disconnect the server from the internet or limit access via VPN/proxy
Deploy it or a similar solution to detect post-exploit activity.
After updates or enabling AMSI, rotate ASP.NET machine keys and restart IIS on all servers using PowerShell.
Deploy Augur for preemptive protection against emerging threats

‍

References

Microsoft SharePoint CVE-2025-49704 / 49706 / 53770: https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
SharePoint Under Siege: https://research.eye.security/sharepoint-under-siege/
Defending Against ToolShell: https://www.sentinelone.com/blog/defending-against-toolshell-sharepoints-latest-critical-vulnerability
CVE-2025-53770 and CVE-2025-53771: https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html
Everything You Need to Know: https://www.wiz.io/blog/sharepoint-vulnerabilities-cve-2025-53770-cve-2025-53771-everything-you-need-to-k‍
Customer guidance for SharePoint vulnerability CVE-2025-53770:https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/

‍