ToolShell Exploit: Critical SharePoint Zero-Day Threatens Global Enterprises
Aug. 15, 2025, 12:38 p.m.
Description
A zero-day exploit chain named 'ToolShell' is actively targeting on-premises Microsoft SharePoint servers worldwide, potentially affecting thousands of organizations. The attack leverages two critical vulnerabilities (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution and steal cryptographic keys, enabling persistent access even after patches are applied. The threat has evolved to use an in-memory payload, making traditional detection methods unreliable. Chinese state-sponsored threat actors, including Linen Typhoon, Violet Typhoon, and Storm-2603, have been exploiting these vulnerabilities since July 7, 2025. The campaign's impact is significant, with nearly 5% of scanned organizations vulnerable and over 400 confirmed victims.
Tags
Date
- Created: Aug. 14, 2025, 10:16 p.m.
- Published: Aug. 14, 2025, 10:16 p.m.
- Modified: Aug. 15, 2025, 12:38 p.m.
Indicators
- 30955794792a7ce045660bb1e1917eef36f1d5865891b8110bf982382b305b27
- 3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997
- 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
- 8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2
- 188.130.206.168
- 45.191.66.77
- 206.166.251.228
- 96.9.125.147
Attack Patterns
- ToolShell
- Linen Typhoon, Violet Typhoon, Storm-2603