🛠️ ToolShell Exploit: Microsoft SharePoint Under Fire from Zero‑Day ThreatsPosted on: July 28, 2025By: CyberDudeBivash 🛡️Category: Vulnerability Alert | Nation-State Threats | Microsoft 0-Days

⚠️ What Happened?

A massive, state-sponsored cyber campaign has been exploiting two critical zero-day vulnerabilities in on-premises Microsoft SharePoint servers. The campaign, which began around July 7, 2025, is targeting governments, defense contractors, and enterprise sectors across multiple countries.These zero-days — tracked as CVE-2025-53770 and CVE-2025-53771 — are being actively leveraged to deploy ToolShell malware, gain persistent access, and execute high-level espionage operations.

🧨 The Vulnerabilities

• CVE-2025-53770 – Remote Code Execution via deserialization flaw in workflow services
• CVE-2025-53771 – Authentication bypass allowing privilege escalation

Both flaws enable unauthenticated remote attackers to execute code and deploy malware with SYSTEM-level privileges.

🎯 Who’s Behind It?

Microsoft Threat Intelligence has attributed this coordinated exploitation to Chinese nation-state APT groups, namely:

• Linen Typhoon (formerly Hafnium)
• Violet Typhoon (linked to espionage in APAC & Europe)
• Storm‑2603 (emerging actor using stealthy implants)

Their TTPs include:

• Credential dumping
• Deployment of custom backdoors
• Key extraction for encrypted SharePoint traffic
• Use of ToolShell, a living-off-the-land (LotL) remote shell

🌍 Global Impact

Affected sectors include:

• Government agencies in the EU, APAC & North America
• Critical infrastructure & defense suppliers
• Large financial and legal enterprises

While no classified data exfiltration has been confirmed yet, attackers maintained long-term persistence and likely engaged in passive surveillance.

🔐 Recommended Immediate Actions

Both Microsoft and CISA urge admins to assume compromise and take the following steps immediately:✅ Patch CVE-2025-53770 and CVE-2025-53771

✅ Rotate cryptographic keys and tokens used by SharePoint

✅ Enable AMSI (Antimalware Scan Interface)

✅ Isolate compromised SharePoint servers from internal networks

✅ Review logs for abnormal SharePoint process behavior

🧠 CyberDudeBivash Thoughts

This is not your average zero-day alert — this is a full-blown, targeted global espionage campaign. The use of ToolShell and the depth of lateral movement show how far these actors have evolved.If your org is running on legacy SharePoint instances, delay = danger. We recommend full system auditing and immediate incident response workflows.

📎 IOC Snippet (Sample)

• File hash: a9f4e89ef12d86e1a1b6c9b...
• Process: SharePointServiceHost.exe spawning cmd.exe
• Remote IP: 45.23.191.103 (C2 beacon - ToolShell variant)

➡️ For the full list of IOCs, contact us directly or subscribe to our Threat Intel Pulse.

📢 Final Call — Don't Sleep on This One

As attackers move faster than ever, cyber resilience requires proactive patching, key hygiene, and modern EDR solutions. The ToolShell campaign is a brutal reminder that legacy systems are open doors to nation-state attackers.Stay safe, stay sharp.

— CyberDudeBivash ⚔️

📍 www.cyberdudebivash.com