Back Issues This Week → Calendar → Current Issue → Popular →

All issuesVolume 328, Issue 5IT Vendor NewsResecurity

Sharepoint Zero-Day Exploit (Toolshell) - Network Infrastructure Mapping

Resecurity, Friday, August 1st, 2025

As reported by ISMG, nearly 150 different organizations' on-premises SharePoint servers have been exploited by attackers targeting the zero-day vulnerabilities now tracked as ToolShell. Early attacks have been attributed to China-linked groups, in some cases leading to Warlock ransomware infections.

Resecurity observed in-the-wild exploitation activity as early as July 17, 2025 prior to Microsoft's official advisory. The attackers have been chaining this vulnerability with previously patched flaws, CVE-2025-49704 and CVE-2025-49706, both of which were addressed in the July 8 Patch Tuesday release, with public PoC code emerging by July 14.

In addition to the technical exploitation, Microsoft has attributed the attacks to two named Chinese nation-state actors: Linen Typhoon and Violet Typhoon.

more →  ·  More from Resecurity →