A campaign exploiting critical Microsoft SharePoint vulnerabilities has escalated from suspected espionage to include ransomware deployment, hitting hundreds of organizations worldwide. Government agencies and critical infrastructure providers are among the victims as multiple threat groups race to exploit unpatched systems.
How the ToolShell Attack Works
The attacks began with vulnerabilities discovered earlier this year in SharePoint’s on-premises servers. Security researchers dubbed the attack method “ToolShell” because it chains together multiple flaws to achieve remote code execution. Microsoft’s investigation reveals threat actors were attempting to exploit these vulnerabilities as early as July 7, 2025.
The attack leverages four critical vulnerabilities:
- CVE-2025-49704: Remote code execution (CVSS 8.8)
- CVE-2025-49706: Spoofing vulnerability (CVSS 6.3)
- CVE-2025-53770: Zero-day RCE bypass (CVSS 9.8)
- CVE-2025-53771: Zero-day spoofing bypass (CVSS 6.5)
These vulnerabilities only affect on-premises SharePoint servers, leaving SharePoint Online and Microsoft 365 cloud services unaffected.
Attackers begin by sending a crafted POST request to SharePoint’s vulnerable ToolPane endpoint, uploading a malicious script called spinstall0.aspx. Variations include spinstall1.aspx and spinstall2.aspx. This web shell steals the server’s machine keys (cryptographic keys that SharePoint uses to validate authentication tokens and protect data). Once attackers obtain these keys, they can maintain access even after the vulnerabilities are patched.
Widespread Impact and High-Profile Victims
The scope has grown rapidly. Security experts initially suggested that a single group was behind the attack, but Microsoft’s investigation has since identified multiple distinct threat actors exploiting the vulnerabilities:
- Linen Typhoon: A suspected Chinese nation-state group focused on intellectual property theft
- Violet Typhoon: Another suspected Chinese group targeting government and military personnel
- Storm-2603: A group Microsoft assesses with moderate confidence to be China-based, which has begun deploying ransomware
The campaign has exposed more than 8,000 SharePoint servers to potential compromise. Of these vulnerable systems, Eye Security reports over 400 systems had been actively compromised, up from around 100 organizations identified just days earlier.
The victim list includes some of the most sensitive government agencies. The National Nuclear Security Administration (the agency responsible for maintaining nuclear weapons) was among those hit. The Department of Energy confirmed minimal impact with a “very small number of systems” affected. The National Institutes of Health had at least one SharePoint server compromised, and attackers attempted to access Fermi National Accelerator Laboratory’s SharePoint servers.
Multiple federal agencies were affected, with reports suggesting more than five to 12 agencies were compromised, including the Department of Homeland Security. In several cases, hackers altered or deleted public documents stored on government websites.
Storm-2603 Deploys Ransomware
On July 18, the campaign escalated when Storm-2603 began deploying Warlock ransomware. Their attack pattern follows a clear progression:
- Initial access via SharePoint vulnerabilities
- Credential theft using Mimikatz to extract passwords from memory
- Lateral movement with tools like PsExec and Impacket
- Ransomware deployment by modifying Group Policy Objects
The group has used both Warlock and LockBit ransomware in previous campaigns.
Warlock Ransomware Details
Warlock is a ransomware-as-a-service operation that emerged in June 2025. The group made its debut on Russian cybercrime forums with ads titled “if you want a lamborghini, please call me.”
Since emerging in June, Warlock has claimed responsibility for attacking 19 victims across government, finance, manufacturing, technology and consumer goods sectors. Ransomware gangs are hunting organizations that have yet to patch their vulnerable SharePoint servers, targeting sectors including education, health care, transportation, technology and finance.
Microsoft assesses with high confidence that additional threat actors will continue integrating these exploits into their attacks against unpatched systems.
What Organizations Need to Do
Microsoft has released security updates for all supported SharePoint versions, but patching alone isn’t enough. The company recommends several additional steps:
- Apply security updates immediately
- Enable AMSI integration with full mode protection
- Rotate machine keys before and after patching
- Restart IIS services on all SharePoint servers
- Deploy strong endpoint protection
The machine key rotation is critical. Since attackers steal these keys early in their campaigns, organizations need to invalidate any compromised cryptographic material.
The Cybersecurity and Infrastructure Security Agency added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, giving federal agencies until July 21 to patch their systems. CISA also recommends organizations scan for specific IP addresses associated with the attacks: 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147.
Organizations running on-premises SharePoint should apply all available patches immediately, rotate ASP.NET machine keys using PowerShell or Central Administration, restart IIS on all SharePoint servers after key rotation, and enable detailed logging to detect ongoing activity. Even patched systems should be treated as potentially compromised and undergo thorough security assessments.
