Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Roughly 100 organisations have been affected by a major espionage campaign targeting Microsoft-owned SharePoint server software.
Yesterday (21 July), the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) released an “act now” critical alert regarding a vulnerability in Microsoft Office SharePoint Server products.
The bug – officially CVE-2025-53770, but also known publicly as ToolShell – is a variant of the previously disclosed vulnerability CVE-2025-49706.
Exploitation of this vulnerability enables the “deserialisation of untrusted data in on-premises Microsoft SharePoint Servers”, which, in turn, could lead to remote code execution and full access to SharePoint content.
The CEO of cyber security firm watchTowr, Benjamin Harris, said that exploitation of the bug was being tracked and that no patch was currently available.
“All signs point to widespread, mass exploitation – with compromised government, technology, and enterprise systems observed globally,” he said.
Now, Eye Security chief hacker Vaisha Bernard said that a scan conducted by the firm and the Shadowserver Foundation found almost 100 cases of exploitation.
“It’s unambiguous,” Bernard said. “Who knows what other adversaries have done since to place other backdoors.”
While the wave has not been attributed, Rafe Pilling, director of threat intelligence at British cyber security firm Sophos, said the activity appears to have been conducted by a single threat actor.
“Based on the consistency of the tradecraft seen across observed attacks, the campaign launched on Friday appears to be from a single actor,” he said.
“However, it’s possible that this will quickly change as awareness of the exploit chain spreads.
“In the initial campaign, we observed code being deployed that attempts to extract sensitive ASP.NET cryptographic secrets from the targeted servers.
“The threat actor can use these stolen secrets to enable additional access to the victim. Organisations using this software should urgently follow Microsoft’s patching and remediation advice.”
While a lack of patch makes dealing with the attacks difficult, KnowBe4 security awareness advocate James McQuiggan said there are steps CISOs can take to protect their businesses.
“While the vulnerability impacts only SharePoint systems hosted on-prem, the risk is significantly higher if the SharePoint instance is exposed to the internet. That said, even if it’s only accessible within the network, there’s still a risk. The impact might be slower, but if attackers are already inside the network, they can target SharePoint to access sensitive data and gain a deeper foothold,” he told Cyber Daily.
“Organisations should evaluate the business impact of downtime versus the risk of compromise. Access should be limited to essential users only and restricted through VPN. Security operations teams need to increase monitoring of SharePoint activity for any signs of suspicious behaviour. It’s also important to engage cyber security vendors to determine whether they’ve identified any indicators of compromise related to this specific type of attack.
“And in a worst-case scenario, isolating the SharePoint server from the internet or even temporarily taking it offline may be the safest move to protect the organisation.”
Be the first to hear the latest developments in the cyber industry.
