Sharepoint Zero-Day Exploit (Toolshell) - Network Infrastructure Mapping
Resecurity, Friday, August 1st, 2025
As reported by ISMG, nearly 150 different organizations' on-premises SharePoint servers have been exploited by attackers targeting the zero-day vulnerabilities now tracked as ToolShell. Early attacks have been attributed to China-linked groups, in some cases leading to Warlock ransomware infections.
Resecurity observed in-the-wild exploitation activity as early as July 17, 2025 prior to Microsoft's official advisory. The attackers have been chaining this vulnerability with previously patched flaws, CVE-2025-49704 and CVE-2025-49706, both of which were addressed in the July 8 Patch Tuesday release, with public PoC code emerging by July 14.
In addition to the technical exploitation, Microsoft has attributed the attacks to two named Chinese nation-state actors: Linen Typhoon and Violet Typhoon.