What happened?
On 19 July 2025, Microsoft issued emergency security guidance to address a critical zero-day vulnerability affecting on-premises SharePoint Server products, tracked as CVE-2025-53770 (alongside a related issue, CVE-2025-53771). These vulnerabilities allow unauthenticated remote code execution, enabling attackers to gain elevated privileges on SharePoint servers through what Microsoft has termed the "ToolShell" campaign. Attackers can exploit this access to deploy ransomware across the entire SharePoint environment or modify and delete critical business data and workflows. Cloud-based SharePoint Online users are not thought to be affected by these vulnerabilities.1
Microsoft's Threat Intelligence team has confirmed active exploitation by what they assess to be Chinese nation-state actors including "Linen Typhoon", "Violet Typhoon", and "Storm-2603", alongside financially motivated cybercriminal groups.
Microsoft’s internal teams and external researchers discovered that the vulnerability had been abused for several weeks before patches were made available. The exploitation enabled threat actors to access and modify sensitive data, deploy ransomware, and move laterally within enterprise networks.2
Rapid exploitation attempts were detected in multiple sectors worldwide, including financial services, healthcare, and education, posing a risk of data exfiltration and potentially compromising sensitive information such as patient medical records, proprietary research data, confidential trading algorithms, and classified business documentation.3
Adversary activity and tactics
Exploitation attempts involve:
- Deserialisation payloads & authentication bypass: Threat actors deploy specially crafted malicious payloads that exploit a "deserialisation" vulnerability in SharePoint's data processing mechanisms. This technique enables attackers to circumvent authentication protocols without requiring valid credentials, effectively bypassing established security controls.
- Upload of malicious ASPX files: Following initial compromise, threat actors navigate SharePoint directory structures to deploy custom ASPX web shell files. These files establish persistent access mechanisms, allowing continued system control and facilitating subsequent attack phases.
- Cryptographic secret extraction: Attackers extract critical cryptographic material, specifically ValidationKey and DecryptionKey components that underpin SharePoint's authentication and encryption frameworks. These keys enable data integrity verification and content protection respectively. Compromise of these cryptographic secrets allows threat actors to authenticate themselves as legitimate users and decrypt protected data. The persistence of these compromised keys beyond patch deployment necessitates immediate cryptographic key rotation to generate new ValidationKey and DecryptionKey pairs, thereby invalidating previously compromised credentials.
- Data exfiltration and ransomware: Threat actors leverage elevated access to extract sensitive organisational data, including proprietary documentation and confidential records. Subsequently, many campaigns deploy ransomware payloads to encrypt organisational assets, typically followed by financial extortion demands.
- Nation-state involvement: Intelligence assessments indicate involvement of state-sponsored advanced persistent threat (APT) groups conducting strategic intelligence collection operations, targeting specific industry sectors for economic espionage and long-term surveillance objectives.
Impacted versions and updates
Organisations running the following SharePoint editions are Susceptible:
So what?
Because SharePoint sits at the centre of many organisations’ knowledge-sharing processes, successful exploitation can expose highly sensitive information and allow attackers deeper access to business-critical systems. This includes customer data, financial records, intellectual property, business plans, legal documents, employee records and personal information. The speed at which these vulnerabilities were weaponised highlights an urgent need for rapid updates and monitoring. Unpatched SharePoint instances are almost certainly lucrative targets for both sophisticated espionage campaigns and ransomware attacks.4
Key steps for businesses to take are as follows:
- Apply Microsoft patches immediately: Install out-of-band updates for SharePoint and ensure all related Windows Server components are current.5
- Rotate credentials and keys: If attackers have accessed SharePoint admin passwords or encryption keys, reset them promptly to prevent ongoing access.6
- Enable advanced logging: Monitor unified logging service (ULS) logs and Windows Event Viewer for unusual uploads (e.g., newly created ASPX files) or suspicious requests to SharePoint endpoints, particularly those files matching the indicators of compromise patterns provided by Microsoft.7
- Implement network segmentation: Restrict SharePoint servers to limit lateral movement if attackers gain a foothold.
- Regular security exercises: Use red team exercises or table-top simulations to confirm that security teams can detect and respond to SharePoint compromises quickly.
Mishcon Cyber Risk and Complex Investigation is an NCSC Cyber Incident Exercise Assured Service Provider, offering strategic cyber risk assessments that identify operational vulnerabilities and enhance organisational readiness for complex security incidents.
By applying timely security updates, closely watching logs, and adopting a layered defence strategy, organisations can reduce their exposure to these vulnerabilities and protect critical processes, data, and infrastructures.8