17K+ SharePoint Servers Exposed, 840 Vulnerable to 0-Day Attacks

A massive cybersecurity crisis affecting Microsoft SharePoint servers worldwide, with over 17,000 servers exposed to internet-based attacks and 840 specifically vulnerable to the critical zero-day vulnerability CVE-2025-53770.

This zero-day exploit, dubbed “ToolShell” by security researchers, carries a critical CVSS score of 9.8 and enables unauthenticated attackers to execute arbitrary code remotely on on-premises SharePoint servers.

The vulnerability has already been actively exploited since July 7, 2025, with investigators identifying at least 20 servers compromised with active webshells.

Microsoft has attributed these attacks to three Chinese threat actors: Linen Typhoon (APT27), Violet Typhoon (APT31), and Storm-2603, with over 400 victim organizations confirmed across multiple sectors including government, healthcare, finance, and education.

SharePoint Servers Exposed

The scope of the SharePoint attacks has reached the highest levels of U.S. government infrastructure, with several federal agencies confirmed as victims.

The National Nuclear Security Administration, responsible for maintaining America’s nuclear weapons stockpile, was breached through the SharePoint vulnerabilities, though no sensitive or classified information is believed to have been compromised.

Additional federal agencies impacted include the Department of Homeland Security, Department of Health and Human Services, and Department of Education.

State and local government agencies have also been significantly affected across the country.

The California Independent System Operator, which operates part of the state’s wholesale electric grid, was among the critical infrastructure entities compromised.

CISA has been working around the clock with Microsoft and impacted agencies to coordinate response efforts and implement protective measures.

The attacks exploit a sophisticated vulnerability chain that completely bypasses authentication by targeting SharePoint’s ToolPane endpoint.

Attackers send specially crafted POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit with a malicious Referer header pointing to /_layouts/SignOut.aspx, tricking SharePoint into treating the request as legitimate.

The integration of zero-day exploitation with ransomware deployment represents a significant evolution in threat actor capabilities.

This enables the deployment of malicious webshells typically named “spinstall0.aspx” and variants, which extract critical ASP.NET machine keys providing persistent access even after patching.

Ransomware Deployment

The three Chinese threat groups involved demonstrate varying levels of sophistication and objectives.

Microsoft has released emergency patches for all supported SharePoint versions, but security experts stress that patching alone is insufficient – organizations must also rotate machine keys, enable Anti-Malware Scan Interface (AMSI), and conduct comprehensive security assessments.

Linen Typhoon (APT27), active since 2010, typically targets foreign embassies and organizations to collect intelligence on government, defense, and technology sectors.

Violet Typhoon (APT31), operational since 2012, specializes in intellectual property theft and espionage operations targeting former government personnel, NGOs, and educational institutions.

Most concerning is Storm-2603, a suspected China-based actor that has escalated beyond data theft to deploy Warlock ransomware on compromised systems.

This group uses advanced techniques including Mimikatz for credential harvesting, lateral movement tools like PsExec, and modifies Group Policy Objects to distribute ransomware across compromised environments.

CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog with an emergency remediation deadline, emphasizing the critical threat to national infrastructure.

With more than 9,300 SharePoint servers remaining exposed globally according to Shadowserver Foundation data, the threat landscape continues to evolve as additional threat actors adopt these powerful exploits.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.