Microsoft Allows China to Hack SharePoint
Microsoft says Chinese hacking groups exploited SharePoint vulnerability in attacks
On today's episode of this is why you pay attention to Patch Tuesday....
Chinese hackers exploited a Microsoft SharePoint zero-day vulnerability to breach and infiltrate roughly 100 organizations globally.
And turns out Microsoft knew of the SharePoint security flaw but failed to effectively patch it. A hacker notified them in May.
Bruh.
First of all, why is it always China? Second of all, why is it always Microsoft?
Just one week ago, Microsoft pledged to stop using China-based engineers to support US defence operations. (A report came out suggesting that its cloud architecture could have exposed the Pentagon to China-backed cyberattacks.)
This is a developing story, but so far widespread attacks began on July 18th after it was demonstrated that two vulnerabilities, CVE-2025-49706 and CVE-2025-29704, could be chained for unauthenticated remote code execution on SharePoint Service instances.
In case you have heard the term "ToolShell" in the news, that's the name they gave the exploit chain.
The first attacks seen by SentinelOne were aimed at carefully selected targets, specifically organizations that appeared to have strategic value or elevated access.
I am suddenly very happy I do not work in critical infrastructure, manufacturing, tech consulting and professional services... oh wait.
Microsoft assigned two new CVEs (CVE-2025-53770 and CVE-2025-53771) to the vulnerabilities when the news first broke.
CVE-2025-53770 has been described as a critical deserialization issue that can be exploited by an unauthenticated attacker to execute code over the network. CVE-2025-53771 is a medium-severity path traversal flaw that allows an authenticated attacker to perform spoofing.
When chained together using a specially crafted request to access the ToolPane functionality in SharePoint (used for website configuration and management) it can ultimately be used to execute arbitrary code.
Microsoft has since confirmed that the attack campaign is active and ongoing, with exploitation beginning as early as July 7 and escalating by July 18, when multiple threat intel firms observed real-world compromise attempts. The company attributes the activity to China-affiliated APTs, including Linen Typhoon, Violet Typhoon, and Storm‑2603. So yes, if it sounds like a state actor op, that’s because it is.
The attackers are using ToolShell to bypass authentication, drop web shells, steal machine keys (which let them impersonate users or services), and set up long-term persistence across networks. Basically, once they're in, they’re not leaving quietly.
Somewhere between 8,000 and 9,000 SharePoint servers are believed to be exposed, according to threat researchers. Microsoft released patches for affected SharePoint versions (2016, 2019, and Subscription Edition), but… spoiler alert… attackers were already bypassing earlier fixes before the full scope was even disclosed.
So yes, it’s time for some post-exploitation cleanup. If you're running on-prem SharePoint, you’re going to need to:
Patch again, properly.
Rotate your machine keys.
Reset credentials.
Check for dropped web shells or suspicious ToolPane traffic.
And maybe, just maybe, ask yourself why your critical infrastructure still depends on 2016-era SharePoint servers exposed to the public internet.
Sources:
https://www.reuters.com/sustainability/boards-policy-regulation/microsoft-knew-sharepoint-security-flaw-failed-effectively-patch-it-timeline-2025-07-22/
https://www.securityweek.com/toolshell-zero-day-attacks-on-sharepoint-first-wave-linked-to-china-hit-high-value-targets/
https://www.cnbc.com/2025/07/22/microsoft-sharepoint-chinese-hackers.html
https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-toolshell-attacks-linked-to-chinese-hackers/