SharePoint Zero-Days Exploited to Unleash Warlock Ransomware
bankinfosecurity145 Organizations Compromised by China-Linked Ransomware Hackers and Others Mathew J. Schwartz (euroinfosec) • July 29, 2025
Attackers infected hundreds of on-premises SharePoint servers by exploiting the zero-day vulnerabilities now tracked as ToolShell, in some cases instigating attacks by ransomware operation Warlock .
See Also: OnDemand | North Korea's Secret IT Army and How to Combat It
Dutch cybersecurity firm Eye Security first spotted late on July 18 attacks targeting two flaws in on-premises SharePoint software now tracked as CVE-2025-53770 and CVE-2025-53771, and known as ToolShell.
Based on six days of internet scans - from July 18 until Wednesday - Eye Security said it counted 27,000 on-premises SharePoint servers. It confirmed that at least 396 of those servers - across 145 unique organizations in 41 countries - were compromised.
"From the data, its clear this wasn't a random or opportunistic campaign," said Lodi Hensen, vice president of security operations at Eye ...
Copyright of this story solely belongs to bankinfosecurity . To see the full text click HERE