Chinese Hackers Exploiting SharePoint Zero-day – Microsoft

Chinese state‑linked hackers have now been confirmed as the driving force behind the “ToolShell” attacks that are ripping through on‑premises Microsoft SharePoint servers, and Britain’s National Cyber Security Centre says a “limited number” of UK organisations have already been breached. Microsoft’s own threat‑intelligence team attributes the exploitation of CVE‑2025‑53770 and its twin, CVE‑2025‑53771, to three Beijing‑nexus groups—Linen Typhoon (APT31), Violet Typhoon (APT15) and Storm‑2603—whose operatives began scanning the internet on 7 July, pouncing on any server that hadn’t applied or had only partially applied July’s security updates. Once in, the attackers drop a 9 KB web shell, ToolShell.aspx, which steals SharePoint machine‑key material, forges authentication cookies and gives SYSTEM‑level control over the host before pivoting laterally into the wider Windows domain. 

Eye Security telemetry and Microsoft logs show at least seventy‑five confirmed victims worldwide, spanning finance, defence, higher‑education and—crucially for UK readers—unnamed local public‑sector bodies. The NCSC told Reuters it is actively supporting domestic organisations hit by the campaign, and it has urged every administrator to patch “without delay or, if that is not possible, to remove the server from public exposure immediately.”

Microsoft has raced to close the door, publishing out‑of‑band patches for every supported on‑prem SharePoint build, yet timing still matters. Subscription Edition and SharePoint 2019 received fixes (KB 5002768 and KB 5002754/KB 5002753) on 19 July; Enterprise Server 2016 lagged until 22 July, when KB 5002760 and KB 5002759 finally arrived. The vendor warns that installing the update is only step one: administrators must rotate SharePoint’s ASP.NET machine keys with Update‑SPMachineKey, restart IIS and, ideally, enable AMSI‑based real‑time scanning to stop unauthenticated exploit traffic. 

Until those steps are complete, a vulnerable server is a beacon. The public proof‑of‑concept exploit—released on GitHub within hours of Microsoft’s disclosure—needs a single SOAP request to succeed. Logs reveal the payload as a POST to /_layouts/15/ToolPane.aspx with the user‑agent string toolshell‑loader/1.3; following execution, attackers beacon to command‑and‑control infrastructure in the ranges 94.103.9.* and 193.23.181.*. On compromised hosts investigators routinely find the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\spinstall0.aspx, confirmation that the machine‑key theft stage has already happened. 

CISA’s inclusion of CVE‑2025‑53770 in its Known Exploited Vulnerabilities catalogue gives US federal agencies just forty‑eight hours to install or mitigate; UK critical‑national‑infrastructure operators will almost certainly find similar pressure flowing from the NCSC and sector regulators. For private firms the commercial risk is no less acute: once ToolShell lands, intruders have been observed deploying Cobalt Strike or Bughatch within hours, turning an espionage foothold into a ransomware staging area.

In practical terms the to‑do list is straightforward but urgent. Patch the correct KB for your SharePoint version, run the machine‑key rotation job, enable AMSI/Defender full mode, scour IIS logs for the indicator strings above and reset any credentials stored in web.config files. For any server that cannot be patched immediately—especially legacy 2010 and 2013 builds, which Microsoft no longer supports—the safest course is to pull it off the public internet and proxy necessary access through a VPN or reverse‑proxy that inspects inbound traffic.

With Chinese state operators, a public proof‑of‑concept and thousands of UK‑hosted SharePoint instances still exposed, ToolShell has become the highest‑priority enterprise threat of the summer. The window to act is closing fast; the attackers have a head start, and every unpatched portal is an open invitation.