China-Linked ToolShell SharePoint Attacks Hit Four Continents in 2025
Executive Summary
In 2025, a coordinated cyber-espionage campaign attributed to Chinese-state actors targeted organizations across government, academic, telecommunications, and finance sectors by exploiting the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint. Attackers gained initial access through unpatched SharePoint deployments, enabling lateral movement, exfiltration of sensitive data, and persistent covert access. Victims spanned four continents, highlighting the campaign's scale and impact on critical information flows and business operations. The attackers' use of encrypted communications and sophisticated toolsets complicated detection and eradication efforts, leading to material operational and reputational risks for affected entities.
This incident underscores a broader trend of supply chain and platform vulnerabilities being weaponized by advanced, nation-state groups. With the rapid disclosure of exploits and a proliferation of similar techniques, patch management and visibility into east-west traffic remain urgent enterprise priorities.
Why This Matters Now
ToolShell presents a severe, active risk due to the ease of exploitation and broad install base of SharePoint in regulated and critical sectors. Organizations face ongoing threats from sophisticated actors leveraging zero-day vulnerabilities, reinforcing the urgency for real-time detection, rapid patching, and comprehensive segmentation to mitigate risks to intellectual property and sensitive data.
Attack Path Analysis
The adversary exploited an unpatched SharePoint vulnerability (CVE-2025-53770), gaining initial access to targeted organizations' environments. Post-compromise, they escalated privileges on compromised systems, likely leveraging misconfigurations or credential theft. Attackers moved laterally across cloud and hybrid infrastructure, pivoting to sensitive systems. Persistent command and control was established using covert channels and encrypted communications to maintain access and issue commands. Data was exfiltrated to attacker-controlled infrastructure, employing techniques to evade detection and bypass outbound controls. The attack culminated in espionage-driven impact, including intellectual property and confidential data loss, without evidence of destructive activity.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited the SharePoint ToolShell vulnerability (CVE-2025-53770) to gain a foothold within cloud-connected enterprise environments.
Related CVEs
CVE-2025-53770
CVSS 9.8A critical deserialization vulnerability in Microsoft SharePoint Server allows unauthenticated remote code execution via crafted HTTP requests.
Affected Products:
Microsoft SharePoint Server 2016 – All builds with the September 2023 security update or later
Microsoft SharePoint Server 2019 – All builds with the September 2023 security update or later
Microsoft SharePoint Server Subscription Edition – Version 23H2 or later
Exploit Status:
exploited in the wildReferences:
https://www.cisa.gov/news-events/alerts/2025/07/20/cisa-adds-one-known-exploited-vulnerability-cve-2025-53770-toolshell-cataloghttps://www.microsoft.com/en-us/msrc/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/https://www.zscaler.com/blogs/security-research/cve-2025-53770-zero-day-exploit-impacts-microsoft-sharepoint-servicesCVE-2025-49704
CVSS 9.8A remote code execution vulnerability in Microsoft SharePoint Server due to improper handling of deserialized data.
Affected Products:
Microsoft SharePoint Server 2016 – All builds prior to May 2025 security update
Microsoft SharePoint Server 2019 – All builds prior to May 2025 security update
Microsoft SharePoint Server Subscription Edition – All builds prior to May 2025 security update
Exploit Status:
exploited in the wildCVE-2025-49706
CVSS 9.8A remote code execution vulnerability in Microsoft SharePoint Server due to improper validation of user input.
Affected Products:
Microsoft SharePoint Server 2016 – All builds prior to May 2025 security update
Microsoft SharePoint Server 2019 – All builds prior to May 2025 security update
Microsoft SharePoint Server Subscription Edition – All builds prior to May 2025 security update
Exploit Status:
exploited in the wildCVE-2025-53771
CVSS 4.3A spoofing vulnerability in Microsoft SharePoint Server allows an authenticated attacker to perform spoofing over a network.
Affected Products:
Microsoft SharePoint Server 2016 – All builds with the September 2023 security update or later
Microsoft SharePoint Server 2019 – All builds with the September 2023 security update or later
Microsoft SharePoint Server Subscription Edition – Version 23H2 or later
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: PowerShell
Valid Accounts
Exploitation for Privilege Escalation
Indicator Removal on Host: File Deletion
Remote Services: SMB/Windows Admin Shares
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Public-Facing Applications
Control ID: 6.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 8
NIS2 Directive – Incident Handling and Vulnerability Disclosure
Control ID: Article 21(2)(d)
CISA ZTMM 2.0 – Continuous Vulnerability Assessment and Patch Management
Control ID: 1.7
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
SharePoint ToolShell attacks specifically targeted government agencies, creating critical vulnerabilities in zero trust segmentation and encrypted traffic protection across nation-state espionage campaigns.
Higher Education/Acadamia
Universities face direct targeting from China-associated hackers exploiting SharePoint vulnerabilities, compromising multicloud visibility and egress security for sensitive research data protection.
Telecommunications
Telecommunication service providers targeted by nation-state actors require enhanced east-west traffic security and threat detection capabilities to prevent lateral movement and infrastructure compromise.
Financial Services
Finance organizations under attack need strengthened Kubernetes security and inline IPS protection against sophisticated SharePoint exploitation enabling data exfiltration and regulatory compliance violations.
Sources
- Sharepoint ToolShell attacks targeted orgs across four continentshttps://www.bleepingcomputer.com/news/security/sharepoint-toolshell-attacks-targeted-orgs-across-four-continents/Verified
- CISA Adds One Known Exploited Vulnerability, CVE-2025-53770 “ToolShell,” to Cataloghttps://www.cisa.gov/news-events/alerts/2025/07/20/cisa-adds-one-known-exploited-vulnerability-cve-2025-53770-toolshell-catalogVerified
- Customer guidance for SharePoint vulnerability CVE-2025-53770https://www.microsoft.com/en-us/msrc/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/Verified
- CVE-2025-53770: Critical SharePoint RCE Actively Exploitedhttps://infodefenders.com/blog/cve-2025-53770/Verified
- Microsoft Ties SharePoint Exploits To China-Backed ToolShell Grouphttps://www.forbes.com/sites/tonybradley/2025/07/23/microsoft-ties-sharepoint-exploits-to-china-backed-toolshell-group/Verified
- CVE-2025-53770 | ThreatLabzhttps://www.zscaler.com/blogs/security-research/cve-2025-53770-zero-day-exploit-impacts-microsoft-sharepoint-servicesVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Zero Trust segmentation, east-west traffic security, multicloud visibility, and egress policy enforcement would have significantly limited the adversary's ability to exploit vulnerabilities, move laterally, issue remote commands, and exfiltrate sensitive data at each stage of the attack.
Control: Cloud Firewall (ACF)
Mitigation: Blocked known exploit signatures and unauthorized inbound connections.
Control: Multicloud Visibility & Control
Mitigation: Alerted and logged anomalous privilege enhancements and access grants.
Control: Zero Trust Segmentation
Mitigation: Prevented unauthorized inter-service and inter-region traffic, containing attacker movement.
Control: Threat Detection & Anomaly Response
Mitigation: Detected and alerted on suspicious command and control traffic patterns.
Control: Egress Security & Policy Enforcement
Mitigation: Stopped or contained unauthorized outbound data transfers.
Reduced operational impact by isolating compromised assets and halting attacker pivoting.
Impact at a Glance
Affected Business Functions
- Document Management
- Collaboration Platforms
- Internal Communications
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive internal documents and communications due to unauthorized access and data exfiltration.
Recommended Actions
Key Takeaways & Next Steps
- • Patch and monitor all externally exposed collaboration applications (e.g., SharePoint) and validate cloud-native firewall enforcement at ingress.
- • Implement Zero Trust segmentation with identity-aware policy to limit lateral movement and restrict internal service communications.
- • Enforce cloud egress policies with granular filtering and real-time anomaly detection to block unauthorized data transfers.
- • Deploy continuous multicloud visibility solutions to monitor and respond to privilege escalation, suspicious activities, and policy violations.
- • Integrate east-west traffic security and threat detection controls for comprehensive defense against modern espionage threats leveraging encrypted and covert channels.
