Government agencies and private industry have been under siege over the past four days following the discovery that a critical vulnerability in SharePoint, the widely used document-sharing app made by Microsoft, is under mass exploitation. Since that revelation, the fallout and the ever-increasing scope of the attacks have been hard to keep track of.
What follows are answers to some of the most common questions about the vulnerability and the ongoing exploitation of it, which collectively is being called ToolShell by people tracking the activity.
What’s known so far
Question: What’s SharePoint?
Answer: SharePoint is server software that companies use for storing, managing, sharing, and collaborating on internal documents, typically from inside an organization’s intranet. Microsoft has been selling it since 2001. In 2020, Microsoft said that SharePoint had 200 million users. As of last year, more than 400,000 customer organizations used the software, with roughly 80 percent of them being Fortune 500 companies, according to IT jobs site Jobera.
Q: So, what’s the vulnerability?
A: The vulnerability, which is formally tracked as CVE-2025-53770, enables unauthenticated remote code execution on servers running SharePoint. The ease of exploitation, the damage it causes, and the ongoing targeting of it in the wild have earned it a severity rating of 9.8 out of a possible 10.
It allows unauthenticated attackers with no system rights to remotely execute malicious code. It was first spotted on Saturday by Eye Security. The security firm reported the vulnerability had been actively exploited in two waves starting a day earlier and had already compromised “dozens of systems” around the world. Eye Security raised the estimate to 400 compromised systems on Wednesday. Bloomberg reported that the US National Nuclear Security Administration's network was among the casualties.
On Tuesday, Microsoft said it unearthed evidence showing active exploitation began no later than July 7, meaning it was exploited as a zeroday, before Microsoft and defenders knew of the threat. The vulnerability affects only SharePoint systems customers run internally inside their organizations. There is no threat to users of Microsoft’s cloud-based SharePoint service.
Q: Who’s exploiting the vulnerability?
A: Microsoft said it observed active exploitation for three separate groups, all of which are connected to the Chinese government. Two of the groups were previously known to Microsoft. One of them—tracked under the name Linen Typhoon—performs espionage attacks for scooping up intellectual property. The second is Violet Typhoon, which performs more traditional forms of espionage.
The third group was previously not tracked and has been designated Storm-2603. Microsoft said it knew little about the group other than it has been linked to ransomware attacks in the past. So far, no one has ruled out the possibility that other groups—possibly from different governments or private crime syndicates—are also exploiting CVE-2025-53770.
Q: Why is the vulnerability being dubbed ToolShell?
A: ToolShell was the name given to a pair of vulnerabilities used in an exploit chain that was demonstrated at the Pwn2Own hacking competition in Berlin in May. The exploit was able to execute code on SharePoint servers without requiring authentication.
The name was coined by Dinh Ho Anh, a researcher from Khoa of Viettel Cyber Security, who developed the exploit. The researcher said he picked the name because it exploited ToolPane.aspx, a component for assembling the side panel view in the SharePoint user interface.
Anh’s attack was an authentication bypass that allowed the researcher to manipulate an insecure deserialization routine. Serialization is a coding process that translates data structures and object states into formats that can be stored or transmitted and then reconstructed later. Deserialization is the process in reverse.
Microsoft fixed the vulnerability pair—CVE-2025-49706 and CVE-2025-49704—two weeks ago as part of the company's monthly update release. As the world learned over the weekend, the patches were incomplete, a lapse that opened organizations around the world to the new attacks.
Q: What sorts of malicious things are attackers doing with these newer ToolShell exploits?
A: According to numerous technical analyses, the attackers first infect vulnerable systems with a webshell-based backdoor that gains access to some of the most sensitive parts of a SharePoint Server. From there the webshell extracts tokens and other sorts of credentials that allow the attackers to gain administrative privileges, even when systems are protected by multifactor authentication and single sign-on. Once inside, the attackers exfiltrate sensitive data and deploy additional backdoors that provide persistent access for future use.
For those who want more technical details, the opening volley in the attack is POST Web requests the attackers send to the ToolPane endpoint. The requests look like this:
Microsoft said these requests upload a malicious script named spinstall0.aspx, or alternately spinstall.aspx, spinstall1.aspx, spinstall2.aspx, and so on. The script contains commands for retrieving a SharePoint server’s encrypted MachineKey configuration and returning the decrypted results to the attacker through a GET request.
Q: I maintain an on-premises SharePoint server. What should I do?
A: In short, drop whatever else you were doing and take time to carefully inspect your system. The first thing to look for is whether it has received emergency patches Microsoft released Saturday. Install the patch immediately if it hasn’t already been done.
Patching the vulnerability is only the first step, since systems infected through the vulnerability show few or no signs of compromise. The next step is to pour through system event logs in search of indicators of compromise. These indicators can be found in numerous writeups, including those from Microsoft and Eye Security (at the links above), the US Cybersecurity and Information Security Agency, and security firms Sentinel One, Akamai, Tenable, and Palo Alto Networks.
Twitch reveals how it’s working with Rockstar for GTA 6’s launch