Sophisticated Chinese state actors exploit chain of vulnerabilities to steal cryptographic keys, deploy ransomware across government and corporate infrastructure
A critical zero-day vulnerability in Microsoft SharePoint Server has triggered one of the most significant cybersecurity incidents of 2025, with researchers confirming active exploitation across thousands of organizations worldwide since early July. The vulnerability, designated CVE-2025-53770 with a maximum CVSS score of 9.8, has enabled attackers to achieve unauthenticated remote code execution on on-premises SharePoint deployments, affecting government agencies, universities, energy companies, and telecommunications firms across North America, Europe, and Asia.
The vulnerability represents a sophisticated bypass of Microsoft's July 2025 patches for two previously disclosed SharePoint flaws: CVE-2025-49704 (remote code execution) and CVE-2025-49706 (authentication bypass). Security researchers have dubbed the exploit chain "ToolShell," originally demonstrated at the Pwn2Own Berlin competition in May 2025 by researchers from Viettel Cyber Security.
The attack exploits a weakness in how SharePoint Server handles the deserialization of untrusted data, allowing attackers to send crafted POST requests to the ToolPane.aspx endpoint with a spoofed Referer header claiming legitimacy from SharePoint's SignOut.aspx page. This authentication bypass enables attackers to upload malicious ASPX files, particularly a web shell named "spinstall0.aspx," which extracts critical ASP.NET machine keys (ValidationKey and DecryptionKey).
These stolen cryptographic keys are crucial for generating valid __VIEWSTATE payloads, effectively turning any authenticated SharePoint request into a remote code execution opportunity. The sophistication of this attack lies in its persistence mechanism: even after patching, attackers can maintain access using the stolen keys to forge legitimate authentication tokens.
Microsoft's analysis indicates that exploitation attempts began as early as July 7, 2025, with activity intensifying dramatically on July 18-19. The company has identified three distinct Chinese threat actors involved in the campaign: state-sponsored groups Linen Typhoon and Violet Typhoon, along with a China-based actor designated Storm-2603.
Storm-2603, which Microsoft tracks with moderate confidence as a China-based threat actor, has been observed deploying Warlock and Lockbit ransomware since July 18. The group has a history of ransomware operations, though Microsoft notes uncertainty about their primary objectives in this campaign.
Check Point Research identified the first exploitation attempts targeting a major Western government on July 7, with attacks originating from IP addresses 104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147. Notably, one of these IP addresses was previously associated with exploitation of Ivanti Endpoint Manager Mobile vulnerabilities, suggesting coordinated infrastructure usage across multiple attack campaigns.
The scale of the compromise is unprecedented for a SharePoint vulnerability. Tens of thousands of SharePoint servers worldwide are at risk, according to security experts, with confirmed breaches affecting U.S. federal and state agencies, universities, energy companies, and an Asian telecommunications company.
Shodan scanning reveals over 16,000 publicly exposed SharePoint servers worldwide, with the majority located in the United States (3,960), followed by Iran (2,488), Malaysia (1,445), the Netherlands (759), and Ireland (645). The Shadowserver Foundation identified 424 SharePoint servers still vulnerable to the exploit chain as of July 23, primarily in the United States, Iran, Germany, India, and China.
Eye Security and watchTowr have confirmed compromised servers belonging to 29 organizations, including multinational firms and government entities, with researchers observing "dozens" of actively exploited servers.
Microsoft initially struggled with patch deployment, first suggesting users modify or disconnect SharePoint servers from the internet before releasing a comprehensive patch for SharePoint Server 2016 on Sunday evening. By July 21, the company had released patches for SharePoint Server Subscription Edition and SharePoint Server 2019, with SharePoint Server 2016 patches following on July 22.
The patches address not only CVE-2025-53770 but also CVE-2025-53771, a related spoofing vulnerability that provides "more robust protections" than the original July security updates. However, Microsoft acknowledged that two SharePoint versions initially remained vulnerable even after the first patch release.
Security teams should search for the primary indicator: creation of spinstall0.aspx files in SharePoint's layouts directory, along with variants like spinstall.aspx, spinstall1.aspx, and spinstall2.aspx. Additional indicators include the debug_dev.js file used for storing PowerShell command output and specific SHA256 hash 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514.
CISA recommends organizations monitor for suspicious requests to the sign-out page /_layouts/SignOut.aspx, as this is the exact HTTP header used by threat actors to exploit ToolPane.aspx for initial access.
CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog on July 20, with CVE-2025-49706 and CVE-2025-49704 added on July 22. The agency has mandated that federal civilian executive branch agencies apply mitigations immediately.
The vulnerability's impact extends beyond immediate compromise, as SharePoint connects with other Microsoft applications like Outlook, Teams, and OneDrive, potentially enabling broader network infiltration and data theft. Security researchers emphasize that affected organizations must both patch the vulnerability and rotate their cryptographic keys to prevent recompromisation using stolen credentials.
SANS Institute researchers have characterized CVE-2025-53770 as "likely one of the most critical SharePoint vulnerabilities to date," recommending that organizations treat any on-premises SharePoint deployment as potentially compromised.
Microsoft recommends immediate deployment of security updates for all supported SharePoint versions, configuration of Antimalware Scan Interface (AMSI) integration, and deployment of Microsoft Defender Antivirus on all SharePoint servers.
Critically, organizations must rotate SharePoint Server ASP.NET machine keys after patching and restart Internet Information Services (IIS) on all SharePoint servers. For organizations unable to enable AMSI, Microsoft advises disconnecting SharePoint servers from the internet until patches can be applied.
Organizations should also disconnect public-facing versions of SharePoint Server that have reached end-of-life, such as SharePoint Server 2013 and earlier versions.
The SharePoint vulnerability exploitation represents a concerning trend of increasingly sophisticated supply chain and infrastructure attacks. Kaspersky researchers note similarities between CVE-2025-53770 and the older CVE-2020-1147 vulnerability, suggesting this may represent an evolved fix for previous SharePoint deserialization flaws.
The public availability of proof-of-concept exploit code on GitHub has lowered the technical barrier for both state-sponsored and financially motivated threat actors, with experts expecting continued widespread exploitation attempts.
This incident underscores the critical importance of rapid patch deployment and comprehensive security monitoring for internet-facing enterprise applications, particularly those handling sensitive organizational data like SharePoint deployments.
The most concerning breach involves the National Nuclear Security Administration (NNSA), the federal agency responsible for maintaining and developing the U.S. stockpile of nuclear weapons. According to officials, no classified information was compromised, with the Department of Energy confirming it was "minimally impacted" due to its widespread use of Microsoft 365 cloud services and robust cybersecurity systems. Only "a very small number of systems" were affected, with the NNSA taking "appropriate action to mitigate risk and transition to other offerings as appropriate."
The National Institutes of Health (NIH) was also compromised, with at least one Microsoft SharePoint server system affected. An internal NIH IT email indicated the agency's cybersecurity team was working to remediate the SharePoint attack.
Department of Homeland Security (DHS) components were breached, including potentially the Cybersecurity and Infrastructure Security Agency (CISA), Transportation Security Administration, Customs and Border Protection, and Federal Emergency Management Agency. DHS confirmed there was "no evidence of data exfiltration at DHS or any of its components at this time."
One eastern U.S. state official reported that attackers had "hijacked" a repository of public documents used to help residents understand how their government works, with the agency no longer able to access the material. This rare "wiper" attack alarmed officials in other states as word spread of potential data deletion beyond typical cryptographic key theft.
Arizona cybersecurity officials convened with state, local, and tribal officials to assess potential vulnerabilities and share information. The Multi-State Information Sharing and Analysis Center detected hundreds of vulnerable groups among state, local, territorial, and tribal governments.
Security researchers identified compromises spanning both commercial and government sectors, with Eye Security tracking more than 50 breaches, including at an energy company in a large state and several European government agencies.
By July 24, Eye Security estimated approximately 400 organizations had been breached, including government agencies, corporations, and other groups worldwide. Most victims were in the United States, followed by Mauritius, Jordan, South Africa, and the Netherlands.
Confirmed victims include universities, energy companies, and an Asian telecommunications company. Researchers from multiple sectors have been affected, including government, defense contractors, human-rights groups, non-governmental organizations, higher education, media, and finance companies.
The U.S. government and partners in Canada and Australia are investigating the compromise of SharePoint servers. Qatari government systems are believed to have been targeted, according to sources familiar with the matter.
CISA launched a "national coordinated response" immediately after identifying the vulnerability on Friday, working "around the clock with Microsoft, impacted agencies, and critical infrastructure partners to share actionable information, apply mitigation efforts, implement protective measures, and assess preventative measures."
The FBI and other agencies are investigating the compromise, with Microsoft issuing the final patches on July 22. Microsoft confirmed coordination "closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners around the world throughout our response."
The scale and sensitivity of the affected organizations has prompted unprecedented coordination between government agencies, with particular concern for the theft of machine keys that could enable persistent access even after patching.