ToolShell Zero-Day Attacks on SharePoint: First Wave Linked to China, Hit High-Value Targets

Details continue to emerge on the zero-day attacks targeting Microsoft SharePoint servers, but some confusion remains over which vulnerabilities have been exploited.

Microsoft and Eye Security warned over the weekend that SharePoint servers had been targeted in zero-day attacks. No patches had been available when news of the exploitation came to light.

Widespread attacks started on July 18, days after researchers demonstrated how two recently patched vulnerabilities, CVE-2025-49706 and CVE-2025-49704, could be chained for unauthenticated remote code execution on SharePoint Server instances as part of an exploit chain they named ToolShell.

It appears that threat actors have bypassed Microsoft’s patches and started exploiting the vulnerabilities in the wild. In response, the tech giant assigned two new CVEs: CVE-2025-53770, which is a variation of CVE-2025-49704, and CVE-2025-53771, a variation of CVE-2025-49706.

Microsoft has since patched CVE-2025-53770 and CVE-2025-53771 in each of the impacted versions of SharePoint Server, including SharePoint Subscription ...