Outbreak AlertMicrosoft SharePoint Zero-day Attack
Watch Video
Widespread SharePoint Zero-Day Exploitation
FortiGuard Labs has detected and successfully blocked hundreds of exploitation attempts targeting a newly discovered zero-day vulnerability chain in on-premises Microsoft SharePoint servers. This active campaign is being exploited by multiple threat actors and poses a significant risk to a wide range of sectors including government, education, healthcare, and large enterprises. Learn More »
Common Vulnerabilities and Exposures
Background
These vulnerabilities, particularly when chained together, allow unauthenticated remote attackers to gain unauthorized access and execute arbitrary commands on vulnerable SharePoint instances. Dubbed `ToolShell` by researchers, the attack chains together two previously addressed vulnerabilities (CVE‑2025‑49704 and CVE‑2025‑49706) into new zero-day variant (CVE‑2025‑53770 and CVE‑2025‑53771).
As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities.
Microsoft has released security updates that fully protect customers using all supported versions of SharePoint affected by CVE-2025-53770 and CVE-2025-53771 and has assessed with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems.
To mitigate this threat, apply the latest security updates to affected versions of on-premises SharePoint servers and follow recommended best practices.
Latest Development
Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.
FortiGuard customers are protected by multiple layers of defense against these exploits. However, immediate patching of all affected SharePoint instances is strongly advised. The FortiGuard Incident Response team can be engaged to help with any suspected compromise.
-
August 13, 2025: Shadowserver reports more than 29,000 Exchange servers are still unpatched against potential CVE-2025-53786 attacks.
-
August 06, 2025: CISA published a Malware Analysis Report (MAR) with analysis and associated detection signatures on files related to Microsoft SharePoint vulnerabilities.
https://www.cisa.gov/news-events/alerts/2025/08/06/cisa-releases-malware-analysis-report-associated-microsoft-sharepoint-vulnerabilities -
July 31, 2025: Exploitation of ToolShell for Ransomware (4L4MD4R ransomware) observed by Palo Alto's Unit 42.
https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/#post-147463-_50343o6a6han -
July 25, 2025: FortiGuard Labs released a Threat blog uncovering new IOCs.
https://www.fortinet.com/blog/threat-research/inside-the-toolshell-campaign -
July 22, 2025: CISA added two new vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-49704 Microsoft SharePoint Code Injection Vulnerability and CVE-2025-49706 Microsoft SharePoint Improper Authentication Vulnerability.
-
July 21, 2025: CISA adds CVE-2025-53770 to the Known Exploited Vulnerabilities (KEV) catalog. Organizations advised to remediate by federal deadlines.
-
July 20, 2025: FortiGuard publishes an Threat Signal providing more details.
https://www.fortiguard.com/threat-signal-report/6159/microsoft-sharepoint-zero-day -
July 19, 2025: Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers.
https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/ -
July 19, 2025: On July 19, 2025, Microsoft Security Response Center (MSRC) published a blog addressing active attacks against on-premises SharePoint servers that exploit CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability.
https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/ -
July 19, 2025: Microsoft published information on CVE-2025-53770 and CVE-2025-53771.
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ -
July 17, 2025: Microsoft confirms active exploitation and begins investigation.
FortiGuard Cybersecurity Framework
Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.
-
AV
-
Vulnerability
-
Behavior Detection
-
IPS
-
Web App Security
-
Web & DNS Filter
-
Post-execution
-
IOC
-
Outbreak Detection
-
Automated Response
-
Assisted Response Services
-
NOC/SOC Training
-
End-User Training
-
Vulnerability Management
-
Attack Surface Monitoring (Inside & Outside)
-
Attack Surface Hardening
Threat Intelligence
Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.
References
Sources of information in support and relation to this Outbreak and vendor.