Microsoft has linked a wave of SharePoint Server attacks to a China-based threat actor using a tool called ToolShell. The attackers exploited CVE-2025-53770, a critical remote code execution vulnerability in SharePoint Server, to gain unauthorized access to vulnerable systems—even after patches were released.
The campaign began as early as April 2025 and has affected more than 100 organizations, including government agencies, schools and energy companies.
This attack illustrates the dangers of persistent, strategic compromise. And it shows just how well-resourced and adaptive nation-state attackers can be—especially when defenders stick to the usual playbook.
A Closer Look at CVE-2025-53770
CVE-2025-53770 is a deserialization flaw in SharePoint Server with a critical CVSS rating of 9.8. It allows attackers to send a specially crafted request and run arbitrary code on the system. From there, they can deploy malware, access internal networks and maintain control for future operations.
What makes this more dangerous is that attackers are chaining this vulnerability with others—such as CVE-2025-49704 and CVE-2025-49706—to bypass security patches issued in May.
Once the foothold is established, even patched systems can remain compromised.
ToolShell Reappears
The campaign is driven by a modified version of ToolShell, a remote access trojan that’s been previously linked to Chinese espionage groups. In this case, ToolShell is integrated into SharePoint workflows, allowing attackers to blend into normal traffic, evade detection and operate freely inside the network.
Nation-State Attribution and a Growing Threat Landscape
Microsoft’s Threat Intelligence team has formally attributed the campaign to a China-based threat actor. But according to Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, the threat has already expanded beyond a single source.
“We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor. It’s critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well,” Carmakal warned.
In other words, the window between state-sponsored discovery and broader criminal adoption is shrinking fast.
Gabrielle Hempel, Security Operations Strategist at Exabeam, sees clear echoes of the 2021 Exchange server attacks in this campaign. “Yet again, we’re seeing a Microsoft enterprise product exploited at scale, with self-hosted deployments as the primary point of failure,” she noted. “These environments generally remain low-hanging fruit due to patching delays and overexposed internal access.”
Hempel also emphasized the operational complexity of these attacks. “These attackers aren’t just out to steal data, but gain remote access, drop malware and move laterally. Organizations should be treating this as a full domain compromise event and not just a SharePoint-specific incident.”
Patching Isn’t Enough
This campaign underscores a frustrating but important truth in cybersecurity: patching alone is not enough. While Microsoft did release a patch for CVE-2025-53770, attackers already inside those systems could maintain persistence using other tools and chained exploits.
In some cases, attackers gained access before the patch was available. In others, organizations failed to patch quickly—or correctly—leaving them vulnerable. Once ToolShell is deployed, it’s not just about SharePoint anymore. It’s about what else attackers can reach from there.
What Organizations Need to Do Now
Microsoft and other experts recommend several immediate steps:
- Audit and isolate SharePoint servers, especially any exposed externally.
- Search for signs of ToolShell or unusual behavior in SharePoint logs and lateral traffic.
- Limit east-west movement, which is often invisible to perimeter-focused defenses.
- Treat this as a domain-wide incident, not a single application compromise.
As Hempel pointed out, many security teams lack visibility into SharePoint logs or internal network movement. “We will likely see ripple effects from breaches of this vulnerability across PCI, HIPAA, ISO 27001, NIST 800-171 and even DFARS/CMMC,” she warned.
Rethinking Hybrid Security
SharePoint’s widespread use and the mix of on-prem and cloud deployments make it a prime target. Many organizations have moved to cloud-based platforms, but legacy on-prem systems often remain in place—and underprotected.
This campaign is a reminder that defending hybrid environments requires more than patching and monitoring the perimeter. It demands real visibility, fast detection and a plan for persistence.
Nation-state attackers do not rely on zero-days alone. They leverage known flaws, chain exploits and adapt faster than most organizations can respond.
The compromise isn’t coming. For many, it’s already here.
