Microsoft SharePoint under attack, researcher emphasizes the role of data breach
In a concerning turn of events, a zero-day exploit targeting SharePoint, a popular web-based collaborative platform developed by Microsoft, has been actively used in the wild. This exploit, part of a chain nicknamed "ToolShell," bypassed Microsoft's security fixes released on Patch Tuesday, July 9, 2025.
The exploitation of the vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, allows for unauthenticated remote code execution and spoofing on on-premise SharePoint servers. These CVEs are related to previously disclosed vulnerabilities, CVE-2025-49704 and CVE-2025-49706, for which Microsoft did not release any MAPP guidance.
The initial patches released by Microsoft on July 8, 2025, were bypassed, and the exploitation began on July 7. Security providers, including ZDI, found that the authentication bypass piece in the initial patches was too narrow.
Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), stated that a leak happened, leading to the zero-day exploit in the wild. The Vietnamese researcher Dinh Ho Anh Khoa demonstrated an exploit for these CVEs at the Pwn2Own competition in Berlin on May 15, 2023, and won $100,000.
Regarding the Microsoft Active Protections Program (MAPP), which provides early access to vulnerability details under strict non-disclosure agreements to select security vendors before patches go public, there is concern that this leak enabling attackers to bypass the patch might have originated from within this trusted circle or related vendor ecosystem.
While there is no public definitive proof pinning MAPP outright responsible, the timing and nature of the leak strongly implicate that early shared vulnerability information was misused or leaked, enabling the rapid weaponization seen in the wild. More than 400 organizations had been compromised by at least two Chinese state-sponsored crews, Linen Typhoon and Violet Typhoon, and a gang Microsoft tracks as Storm-2603, by July 21. These crews were using the vulnerabilities to deploy ransomware.
Soroush Dalili was able to use Google's Gemini to help reproduce the exploit chain, suggesting other threat actors may have done the same. Microsoft disclosed the two SharePoint CVEs (CVE-2025-49704 and CVE-2025-49706) on July 8, 2023, after they were exploited in mass on July 7.
Eye Security sounded the alarm on July 18 about large-scale exploitation of a SharePoint remote code execution vulnerability chain. Microsoft warned SharePoint server users on July 19 that three on-prem versions of the product included a zero-day flaw that was under attack.
In summary, the zero-day exploit was a bypass of Microsoft’s official fixes and began active exploitation shortly after Patch Tuesday 2025. Security researchers and Microsoft believe a leak occurred, possibly involving early access vulnerability data shared under MAPP, facilitating attackers to craft bypass exploits before or immediately after patches dropped. While there is no public definitive proof pinning MAPP outright responsible, the timing and nature of the leak strongly implicate that early shared vulnerability information was misused or leaked, enabling the rapid weaponization seen in the wild.
[1] Source: Microsoft Security Response Centre Blog - https://msrc-blog.microsoft.com/ [2] Source: ZDI Blog - https://blog.zerodayinitiative.com/ [3] Source: Eye Security Blog - https://www.eyesecurity.com/ [4] Source: Trend Micro Blog - https://blog.trendmicro.com/
Note: All dates are presented in the format Day Month, Year.
- The zero-day exploit, known as ToolShell, bypassed Microsoft's security fixes for SharePoint, a popular web-based collaborative platform, which were released on Patch Tuesday, July 9, 2025.
- The exploitation of the vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, allows for unauthenticated remote code execution and spoofing on on-premise SharePoint servers, and are related to previously disclosed vulnerabilities, CVE-2025-49704 and CVE-2025-49706.
- Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), stated that a leak happened, leading to the zero-day exploit in the wild.
- Microsoft's Active Protections Program (MAPP) shares vulnerability details under strict non-disclosure agreements with select security vendors before patches go public, and there is concern that this leak enabling attackers to bypass the patch might have originated from within this trusted circle or related vendor ecosystem.
- More than 400 organizations had been compromised by at least two Chinese state-sponsored crews and a gang Microsoft tracks as Storm-2603 by July 21, using these SharePoint vulnerabilities to deploy ransomware.
