As Microsoft continues to update its customer guidance for protecting on-prem SharePoint servers against the latest in-the-wild attacks, more security firms have begun sharing details about the ones they have detected.
Most intriguingly, Check Point Research says that they observed the first exploitation attempts on July 7th, with the target being a major Western government.
That date not only precedes the publication of the screenshot of the ToolShell exploit chain (CVE-2025-49706 + CVE-2025-49704) in action and that of additional technical details, but also the date of the release of the patches for those flaws.
Updated guidance
While Microsoft initially stated that the active attacks targeting on-premises SharePoint Server customers are exploiting a variant of CVE-2025-49706, i.e., CVE-2025-53770, it has now confirmed that:
(CVE-2025-53770 is, according to Microsoft’s security advisory, being exploited, but CVE-2025-53771 – again, according to its advisory – is not.)
In the meantime, the company has released security updates that fix both CVE-2025-53770 and CVE-2025-53771 on Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016, and is advising customers with on-prem servers to:
- Implement them
- Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions
- Turn on and correctly configure the Antimalware Scan Interface (AMSI) and use an antivirus solution such as Defender Antivirus, and
- Rotate SharePoint Server ASP.NET machine keys
Before doing that, though, they should check whether their servers have been targeted and compromised.
Different attack clusters
Eye Security continues to update a list of indicators of compromise related to the different waves of attacks they spotted since July 17 up to now – including the newest ones that emerged on Monday, after a proof-of-concept exploit script for CVE-2025-53770 was published on Github.
Trend Micro, Rapid7 and BitDefender have detected the same attacks. “Attackers are bypassing identity controls, including multi-factor authentication (MFA) and single sign-on (SSO), to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors and stealing cryptographic keys,” Palo Alto Networks’ researchers have noted.
Check Point and SentinelOne researchers have also detected others.
As mentioned before – and as confirmed to us by a Check Point representative – they observed single exploitation attempts on July 7th and 10th, and then significant exploitation waves starting July 17th.
The exploitation attempt on July 7th targeted a Western government. The waves that started on July 17th and intensified on July 18th and 19th delivered a custom webshell and targeted organizations in the government, software, and telecommunications sectors, predominantly in Northern America and Europe.
One of the IP addresses involved in the latter attacks was also associated with earlier exploitation attempts against a related Ivanti EPMM vulnerability chain, they noted.
SentinelOne researchers have also observed exploitation attempts from three distinct attack clusters, some involving the deployment of webshells and one not. (The sophistication of the latter attempt made them believe that this attack was performed either as a skilled red team emulation exercise or was the “work of a capable threat actor with a focus on evasive access and credential harvesting.”)
They also said that they have observed multiple state-aligned threat actors – unrelated to the first wave of exploitation – beginning to engage in reconnaissance and early-stage exploitation activities.
“Additionally, we’ve also identified actors possibly standing up decoy honeypot environments to collect and test exploit implementations, as well as sharing tooling and tradecraft across known sharing platforms. As awareness spreads within these communities, we expect further weaponization and sustained targeting of vulnerable SharePoint infrastructure,” SentinelOne researchers added.
Microsoft’s threat intelligence team said today that it has observed “two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon” and another, unnamed China-based threat actor (tracked as Storm-2603) exploiting CVE-2025-49706 and CVE-2025-49704, and has shared indicators of compromise, hunting queries, and more.
Organizations that haven’t updated their on-prem SharePoint Server instances since before Microsoft’s July 2025 Patch Tuesday releases should consider them compromised and move to investigate and remediate discovered intrusions.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
