ToolShell Exploit in SharePoint: A Security Wake-Up Call

Chinese Threat Actors Exploit ToolShell SharePoint Flaw Weeks After Microsoft's July Patch Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications company in the Middle East after it was publicly disclosed and patched in July 2025. Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology agency in an African country, a government department in the Middle East, and a finance company in a European country. According to Broadcom's Symantec Threat Hunter Team, the attacks involved the exploitation of CVE-2025-53770, a now-patched security flaw in on-premise SharePoint servers that could be used to bypass authentication and achieve remote code execution. Stay connected for industry’s latest content – Follow Deepthi Talasila #DevSecOps #ApplicationSecurity #AgenticAI #CloudSecurity #CyberSecurity #AIinSecurity #SecureDevOps #AppSec #AIandSecurity #CloudComputing #SecurityEngineering #ZeroTrust #MLSecurity #AICompliance #SecurityAutomation #SecureCoding #linkedin #InfoSec #SecurityByDesign #AIThreatDetection #CloudNativeSecurity #ShiftLeftSecurity #SecureAI #AIinDevSecOps #SecurityOps #CyberResilience #DataSecurity #SecurityInnovation #SecurityArchitecture #TrustworthyAI #AIinCloudSecurity #NextGenSecurity https://lnkd.in/e9NTgkkv

🚨 ToolShell Exploits in Microsoft SharePoint: A Global Threat Landscape Unfolds 🌍 Chinese threat actors have weaponized the ToolShell vulnerability (CVE-2025-53770) in on-prem SharePoint servers, targeting critical infrastructure across four continents, including government agencies, universities, telecom providers, and finance firms. 🔍 Key Technical Insights: ToolShell is a zero-day RCE flaw that bypasses CVE-2025-49706 and CVE-2025-49704. Attackers used webshells for persistent access, followed by DLL side-loading of: 🛠️ Zingdoor (Go-based backdoor) 🐛 ShadowPad Trojan 🦀 KrustyLoader (Rust-based loader) 🧬 Sliver (post-exploitation framework) Legitimate executables from Trend Micro and BitDefender were abused for stealth. Credential dumping via ProcDump, Minidump, and LsassDumper. PetitPotam (CVE-2021-36942) used for domain compromise. Living-off-the-land tools included Certutil, GoGo Scanner, and Revsocks. 📊 Symantec’s report reveals a broader set of Chinese APTs involved than previously known, including Salt Typhoon, Budworm, Sheathminer, and Storm-2603. 🔐 This campaign underscores the urgency of patching vulnerable SharePoint instances and monitoring for lateral movement and post-exploitation frameworks. #CyberSecurity #Infosec #ThreatIntel #APT #SharePoint #ToolShell #ZeroDay #RCE #Microsoft #DLLSideLoading #RustMalware #CredentialDumping #LivingOffTheLand #Symantec #BlueReport2025 #CVE2025 #SecurityOps #IncidentResponse #SOC #ThreatHunting

JUST IN: Hackers linked to Ch*na exploited a “patched” Microsoft SharePoint flaw to break into networks across four continents. It wasn’t just spying. They found a way to bypass the patch that fixed a previous bypass. What makes this campaign particularly insidious is the depth of the post-exploit chain: after the unauthenticated breach, attackers deploy web shells, target MachineKey values, and forge authentication tokens. Once inside, the infrastructure runs as trusted. The result is that "the breach doesn’t just grant access; it becomes a hidden residency." For companies running broad-scale enterprise stacks, this exposure means even a *one-line exploit* can cascade into full-domain compromise. For non-IT teams, the message is simple. If your server is internet-facing and unpatched, you aren’t just living with risk. You’re hosting it. So, here are our recommendations: 1. Keep internet-facing servers fully patched within 24–48 hours of a security update and never expose admin panels or collaboration tools like SharePoint directly to the web. 2. Segment those systems behind VPN or zero-trust gateways, enforce multi-factor authentication, and monitor for web-shell or anomalous traffic activity. Basically, treat every public-facing server as a potential breach entry, not a convenience. https://lnkd.in/g4r6fev3 #auguryit #cysec

"There is some overlap in the types of victims and some of the tools used between this activity and activity previously attributed to Glowworm," Symantec said. "However, we do not have sufficient evidence to conclusively attribute this activity to one specific group, though we can say that all evidence points to those behind it being China-based threat actors." "The activity carried out on targeted networks indicates that the attackers were interested in stealing credentials and in establishing persistent and stealthy access to victim networks, likely for the purpose of espionage."

CVE ID: CVE-2024-30080 Title: Microsoft SharePoint Server Remote Code Execution Vulnerability Description: A remote code execution vulnerability exists in Microsoft SharePoint Server that could allow an authenticated attacker to execute arbitrary code on the affected server. This vulnerability requires an attacker to have Site Owner permissions or higher to exploit. No public exploit code or active exploitation is currently known. [Microsoft Advisory] Severity Level: CVSS v3.1 Base Score: 8.8 (High) Affected Products: Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019 Potential Impact: Successful exploitation could lead to complete compromise of the SharePoint server, including data exfiltration, unauthorized access, and disruption of services. Recommended Mitigation Strategies: Immediately apply the security updates released by Microsoft. Ensure all SharePoint servers are patched to the latest versions. Implement strict access controls and regularly review permissions for SharePoint users, especially those with Site Owner roles. Monitor SharePoint logs for unusual activity or unauthorized access attempts. Stay vigilant and prioritize these updates. Proactive defense is our strongest tool against such high-impact vulnerabilities. Share this to keep our community informed and secure! Hashtags: #CVE #SharePoint #Microsoft #Vulnerability #RCE #Cybersecurity #PatchManagement #InfoSec

CVE ID: CVE-2024-30082 Title: Microsoft SharePoint Server Spoofing Vulnerability Description: A spoofing vulnerability exists in Microsoft SharePoint Server. An attacker could exploit this vulnerability by sending a specially crafted request to an affected SharePoint server. This vulnerability does not require authentication, but successful exploitation requires user interaction. No public exploit code or active exploitation is known. [Microsoft Advisory] Severity Level: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N (5.4 Medium) Affected Products: Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019 Potential Impact: Successful exploitation could allow an attacker to trick users into performing actions or disclosing sensitive information, leading to unauthorized access or data manipulation. Recommended Mitigation Strategies: Apply the latest security updates released by Microsoft for SharePoint Server. Educate users about phishing and social engineering tactics. Implement strong authentication mechanisms and monitor for suspicious activity within SharePoint environments. Stay vigilant and prioritize these updates. Proactive defense is our strongest tool against such high-impact vulnerabilities. Share this to keep our community informed and secure! Hashtags: #CVE #SharePoint #Microsoft #Vulnerability #Spoofing #Cybersecurity #PatchManagement

CVE ID: CVE-2024-30080 Title: Microsoft SharePoint Server Remote Code Execution Vulnerability Description: A critical remote code execution vulnerability exists in Microsoft SharePoint Server. An authenticated attacker with Site Owner permissions or higher can exploit this by uploading a specially crafted file to the server. This vulnerability does not require user interaction beyond the file upload. Microsoft has not reported active exploitation or public exploit code at this time. [NVD] Severity Level: CVSS: 8.8 (High) Affected Products: Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019 Potential Impact: Successful exploitation could allow an authenticated attacker to execute arbitrary code with elevated privileges on the SharePoint server, leading to full system compromise, data exfiltration, or denial of service. Recommended Mitigation Strategies: Immediately apply the security updates provided by Microsoft. For SharePoint Server Subscription Edition, update to the latest build. For SharePoint Server 2019, install the June 2024 Public Update. Regularly review and restrict user permissions, especially for Site Owners. Implement network segmentation to limit access to SharePoint servers. Stay vigilant and prioritize these updates. Proactive defense is our strongest tool against such high-impact vulnerabilities. Share this to keep our community informed and secure! Hashtags: #CVE #SharePoint #Microsoft #Vulnerability #RCE #Cybersecurity #PatchNow #InfoSec

🚨 Critical Security Alert: CVE-2025-53770 – SharePoint Under Active Attack Microsoft has confirmed a critical Remote Code Execution (RCE) vulnerability impacting on-premises SharePoint Server — tracked as CVE-2025-53770 — and exploitation is already happening in the wild. 🔴 Severity: Critical (CVSS 9.8) 🕵️♂️ Impact: Allows unauthenticated attackers to execute code remotely ☁️ Not Affected: SharePoint Online (Microsoft 365) ⸻ 🔥 Why this matters SharePoint often sits at the heart of enterprise collaboration. Once compromised, attackers can gain a foothold to move across the network, steal data, deploy ransomware, and maintain persistence. ⸻ ✅ What organizations must do now 🔹 Patch immediately – Apply the latest security updates on all on-prem SharePoint servers 🔹 Harden & monitor – Enable AMSI integration and verify endpoint protection is active 🔹 Assume breach & validate – Hunt for web shells and suspicious SharePoint activity 🔹 Rotate machine keys – Prevent attacker persistence even after patching ⸻ 🧠 Final Thoughts If your organization runs SharePoint Server on-prem, treat this as a top-priority incident. Speed of response is critical — patching alone is not enough without validation. If you’d like, I can share a ready-to-use internal communication template for IT and security leaders, along with a technical checklist for SOC teams. Stay safe, stay updated. 🔐 #cybersecurity #sharepoint #vulnerability #CVE2025 #infosec #patchnow #securityalert

ToolShell SharePoint vulnerability exploited after public disclosure and patch — global impacts and lessons Last week security reporting confirmed that threat actors with ties to China exploited the ToolShell vulnerability in Microsoft SharePoint after it was publicly disclosed and patched in July 2025. The compromise affected a telecommunications company in the Middle East and also targeted government departments in an African country, government agencies in South America, a U.S. university, and, reportedly, a state technology organization. (Source: https://lnkd.in/gtV8mG2w) Key takeaways - Patch availability is only the first step. Even after a vendor patch and public disclosure, attackers often move quickly to exploit unpatched or poorly mitigated environments. - Diverse targets show this is not sector-specific: critical infrastructure, public sector, academia, and private industry are all at risk. - Rapid detection, containment, and recovery are essential to reducing impact once exploitation begins. Practical recommendations 1. Prioritize and validate patches: Ensure all SharePoint instances (on-prem and cloud-adjacent integrations) are identified, prioritized, and patched. Validate successful deployments and monitor for drift. 2. Assume compromise and hunt: Use threat intelligence indicators tied to ToolShell and related TTPs to perform proactive threat hunting and log analysis. 3. Strengthen network segmentation: Limit lateral movement by isolating web-facing services and enforcing least privilege. 4. Improve detection and response: Tune EDR/XDR, SIEM and log collection for anomalous SharePoint activity; rehearse playbooks for web-app exploits. 5. Enforce multi-layered controls: MFA, endpoint protection, secure configurations, and regular backups will reduce blast radius and speed recovery. 6. Communicate and collaborate: Share indicators with peers, vendors, and relevant CERT/CSIRT teams; coordinate disclosures responsibly. Final thought This incident is a timely reminder that cybersecurity is a continuous process. Patching, while critical, must be paired with detection, resilience, and operational readiness. Organizations that combine rapid patch deployment with robust monitoring, segmentation, and incident response will be best positioned to reduce risk and recover faster. Read more: https://lnkd.in/gtV8mG2w #CyberSecurity #InfoSec #ThreatIntelligence #PatchManagement #MicrosoftSharePoint #IncidentResponse #ZeroTrust #CyberResilience #PublicSectorSecurity #Telecommunications #VulnerabilityManagement

CVE ID: CVE-2024-30046 Title: Microsoft SharePoint Server Remote Code Execution Vulnerability Description: A remote code execution (RCE) vulnerability exists in Microsoft SharePoint Server. An authenticated attacker with Site Owner privileges could upload a specially crafted file to the server, leading to arbitrary code execution in the context of the SharePoint application pool. This vulnerability requires authentication. There is no indication of active exploitation or publicly available exploit code at this time. [Microsoft Advisory] Severity Level: CVSS v3.1 Base Score: 8.8 (High) Affected Products: Microsoft SharePoint Server Subscription Edition, SharePoint Server 2019, SharePoint Server 2016. Potential Impact: Successful exploitation could allow an authenticated attacker to execute arbitrary code on the SharePoint server, leading to full compromise of the server, including data theft, modification, or denial of service. Recommended Mitigation Strategies: Apply the latest security updates released by Microsoft immediately. Ensure all SharePoint Server instances are patched to address CVE-2024-30046. Restrict Site Owner privileges to trusted users only and regularly review permissions. Implement network segmentation and monitor SharePoint environments for unusual activity. Stay vigilant and prioritize these updates. Proactive defense is our strongest tool against such high-impact vulnerabilities. Share this to keep our community informed and secure! Hashtags: #CVE202430046 #Microsoft #SharePoint #RCE #RemoteCodeExecution #CyberSecurity #PatchTuesday #InfoSec #Vulnerability