Microsoft Traces On-Premises SharePoint Exploits to China

But Hacking Groups of All Stripes Now Have Access to Exploit Code, Researchers Warn Mathew J. Schwartz (euroinfosec) • July 22, 2025

Hackers targeting zero-day vulnerabilities in Microsoft SharePoint appear to have focused on stealing cryptographic data to facilitate long-term, post-patch access to servers, security experts warn.

See Also: Beyond Replication & Versioning: Securing S3 Data in the Face of Advanced Ransomware Attacks

Microsoft, which has tied early exploitation activity to China, is rushing out emergency patches to help organizations blunt the exploit chain, dubbed ToolShell, being used. On-premises versions of SharePoint are at risk but SharePoint Online in Microsoft 365 is not (see: Attackers Exploit Zero-Day Flaws in On-Premises SharePoint).

As of Tuesday, patches for all supported versions of SharePoint server - Subscription Edition, 2019 and 2016 - are now available. Microsoft cautioned that further steps are necessary, including rotating keys, to eject attackers from already hacked systems.

The ...