comment Here we go again. Another major Microsoft attack, with this one seeing someone — most likely government-backed hackers — exploiting a zero-day bug in SharePoint Server that Redmond failed to fix.

Late Saturday, Microsoft warned it was “aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.” 

The flaw, a critical, 9.8-rated remote code execution vulnerability tracked as CVE-2025-53770, is a variant of CVE-2025-49706, which Microsoft disclosed and attempted to fix in its July Patch Tuesday event. Exploits abusing the security hole, now being called “ToolShell” by infosec experts, allow attackers to fully take over SharePoint Servers, including file systems and internal configurations, and execute code over the network. 

“Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys,” Unit 42 CTO and head of threat intel Michael Sikorski told The Register. 

The vuln affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. As of Monday, 2016 still doesn’t have a fix.

The Register asked Microsoft when it would patch SharePoint Enterprise Server 2016 and who is responsible for the attacks, and a spokesperson told us that the software giant has “nothing further to share beyond the blog post at this time.”

By Sunday, the US Cybersecurity and Infrastructure Security Agency sounded the alarm on the ToolShell attacks, added the CVE to its Known Exploited Vulnerabilities catalog, and instructed all US federal civilian executive branch agencies to identify potentially affected systems and to apply mitigations by July 21. By Monday, the UK’s National Cyber Security Centre disclosed a “limited number” of British organizations under attack.

All of these actions, however, are too late as miscreants have already abused the vulnerability to steal sensitive information from governments, telecommunications, education, critical infrastructure, and software companies across the globe, according to security researchers.

It’s probably going to get much worse.

US Senator Ron Wyden (D-OR), a frequent critic of Microsoft and the tech industry in general, decried Redmond’s lackadaisical response to the incident so far: “Government agencies have become dependent on a company that not only doesn’t care about security, but is making billions of dollars selling premium cybersecurity services to address the flaws in its products. Each hack caused by Microsoft’s negligence results in increased government spending on Microsoft cybersecurity services. The government will never escape this cycle unless it stops rewarding Microsoft for its negligence with bigger and bigger contracts.”

July 7 attack targeted ‘major Western govt’

Qualys on Monday noted a Fofa search revealed more than 205,000 targets, indicating hundreds of thousands of potentially vulnerable instances.

Check Point Research spotted the first signs of the exploitation on July 7, and says the attackers targeted a “major Western government.”

Attacks intensified on July 18 and 19, using infrastructure linked to three IP addresses: 104.238.159.149, 107.191.58.76, and 96.9.125.147.

One of these IPs (104.238.159.149) was also connected to a rash of exploit attempts against two Ivanti zero-days, CVE-2025-4427 and CVE-2025-4428, that can be chained to achieve unauthenticated remote code execution (RCE). Suspected Chinese spies were behind at least some of the Ivanti attacks, and while we don’t yet know who is responsible for the new Microsoft breaches, multiple security experts told us that all signs point to another nation-state attack.

The nature of this campaign … strongly suggests the work of a nation-state actor and points to a broader espionage effort

“The nature of this campaign — stealthy, highly targeted, and aimed at government and telecom sectors — strongly suggests the work of a nation-state actor and points to a broader espionage effort,” Lotem Finkelstein, director of threat intelligence at Check Point Research, told El Reg, adding that “thousands” of global organizations are at risk.

Charles Carmakal, the CTO of Google’s Mandiant security shop, agrees with the nation-state assessment, and believes China is to blame. “We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor. It’s critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well.”

Since July 7, Check Point says it’s confirmed “dozens” of compromise attempts, primarily targeting the government (49 percent), telecommunications (9 percent), and software (24 percent) sectors in North America and Western Europe.

“Microsoft’s ubiquity in enterprise environments makes it an attractive target for adversaries seeking covert access to sensitive systems,” Finkelstein said. “This isn’t about weak security standards. It’s about the strategic value of compromising the most widely used platforms.”

WatchTowr’s head of proactive threat intelligence Ryan Dewhurst told The Register that his security firm has seen ” widespread impact across hundreds of organizations, including those that many would consider incredibly sensitive,” such as government, education, and critical infrastructure.

“Our data shows that initial scans began hitting the internet on July 16,” he added. “By July 17 and 18, exploitation was in full swing, prompting Microsoft’s official public advisory on July 19. The US, Germany, France, and Australia are currently bearing the brunt of exploitation activity.”

While “attribution takes time,” Dewhurst noted that early signs “point to nation-state actors focused on persistence,” and other criminals are already taking note. “As always, when there is mass attention to a vulnerability (regardless of whether PoCs are published or not), crime gangs and other threat actor groups will follow — which is what we’re seeing now.”

We’re fairly certain it’s for once acceptable to call this a close-to-worst-case scenario

WatchTowr spent the weekend alerting vulnerable orgs, and in some cases was “forced to watch them get compromised in real-time,” Dewhurst said. “We’re fairly certain it’s for once acceptable to call this a close-to-worst-case scenario.”

“The sad reality is that we’ll see this vulnerability exploited long into the future as organizations fail to patch or as attackers return to regain access after stealing cryptographic keys as has been seen heavily in activity this weekend,” he added.

‘Patching alone is insufficient’

Plus, as Sikorski and execs have pointed out: “Patching alone is insufficient to fully evict the threat.”

“If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point,” he added.

Mandiant Consulting CTO Charles Carmakal sounded similarly alarmed in a critical alert on LinkedIn. “This isn’t an ‘apply the patch and you’re done’ situation,” he wrote. “Organizations need to implement mitigations right away (and the patch when available), assume compromise, investigate whether the system was compromised prior to the patch/mitigation, and take remediation actions.”

Sadly, this isn’t the first time that government-backed spies — or even Lapsus$ hoodlums — have broken into Microsoft’s systems and products to steal sensitive information.

Russia’s Cozy Bear has busted Microsoft’s digital defenses at least twice since 2020: The first time happened via the SolarWinds supply-chain attack in 2020. 

Then, in late 2023, the group stole emails and files belonging to the tech titan’s leadership team, as well as cybersecurity and legal employees, although this one wasn’t detected until January 2024.

China’s snoops have stolen a private cryptographic key, government emails, and other important, supposedly secret stuff, prompting a lashing from the feds for a “cascade” of “avoidable errors” that made the Chinese attack possible. 

Last summer, Microsoft president Brad Smith testified before Congress about his company’s repeated security failings — but this didn’t stop the millions of dollars in government contracts flowing into Redmond’s coffers.

We hardly expect this latest security snafu to stick to Redmond, nor do we expect another CISA investigation into Microsoft. The US government is far too busy these days with other, more important business — like slashing America’s cyber defenders and trying to distance President Trump from his good, now-deceased buddy and convicted sex offender Jeffrey Epstein.

Business will continue as usual, Redmond will eventually issue a vaguely worded post mortem that absolves it of all responsibility, and then it will roll out yet another shiny new security initiative instead of actually fixing the problem.

But hey, at least it keeps us security journos in business. ®