A major wave of cyberattacks has compromised at least 396 Microsoft SharePoint servers worldwide, exploiting a newly disclosed zero-day vulnerability dubbed ToolShell (CVE-2025-53770/53771). The flaw has prompted concerns across industries and nations due to its widespread abuse and strategic targeting.

The discovery was made by Eye Security, a Netherlands-based cybersecurity firm, after scanning over 27,000 SharePoint instances between July 18 and 23. The analysis confirmed that 145 organizations across 41 countries have already been breached, with expectations that this number will rise significantly in the coming weeks.

United States Among the Primary Targets

The United States has been hit hardest, representing 31% of confirmed compromised entities. Other affected countries include Mauritius (8%), Germany (7%), and France (5%). Eye Security suspects Mauritius may have been targeted due to the presence of U.S. government entities in the region.

Notably, two organizations in Jordan also saw abnormally high attack volumes, indicating a potential strategic focus in the region.

Government Entities in the Crosshairs

The government sector accounts for 30% of the known infections. While specific names have not been officially confirmed, reports suggest potential involvement of key U.S. government bodies, including the Department of Homeland Security, the Department of Health and Human Services, and even the U.S. Nuclear Weapons Agency.

“Based on the attack patterns, it’s clear this wasn’t a case of random opportunism. The attackers were highly selective,” explained Lodi Hensen, VP of Security Operations at Eye Security.

According to the firm, threat actors targeted organizations with strategic or intelligence value, reinforcing the idea that this was part of a deliberate and intelligence-driven operation.

Other Sectors Affected

Outside of government agencies, other sectors were also impacted:

• Education: 13%
• SaaS providers: 9%
• Telecommunications: 4%
• Energy infrastructure: 4%

This highlights the broad reach and potential downstream risks of this ongoing campaign.

Threat Landscape: Expanding Beyond State Actors

Initially attributed to China-linked threat groups such as Linen Typhoon, Violet Typhoon, and Storm-2603, the exploitation now appears to be spreading beyond nation-state actors. As technical details have surfaced publicly, other cybercriminal groups are beginning to leverage the vulnerability — particularly as it has been added to popular frameworks like Metasploit.

“The public release of exploit code dramatically lowers the barrier to entry,” Hensen added. “Even low-skill attackers can now deploy effective attacks against unpatched systems.”

Next Steps for Defenders

Eye Security warns that ransomware attacks and supply chain compromises may follow in the wake of this vulnerability’s exposure. The firm is urging all organizations using on-premises Microsoft SharePoint to take immediate action:

• Assume compromise
• Verify that all patches are applied
• Initiate proactive threat hunting

Eye Security began directly notifying clients and partners of the risk on July 21. The situation remains fluid as more threat actors become aware of and exploit the vulnerability.

Source: https://www.infosecurity-magazine.com/news/396-sharepoint-systems-compromised