PSA: Active exploitation of Microsoft SharePoint “ToolShell” flaws, Targeting Organizations and Allowing Remote Code Execution

by Justin Erickson

Microsoft says two China-based actors — Linen Typhoon and Violet Typhoon — are exploiting on-premises SharePoint vulnerabilities, with a separate group, Storm-2603, deploying Warlock ransomware on compromised servers. The activity centers on a newly disclosed exploit chain dubbed ToolShell. The ToolShell campaign evolves prior Pwn2Own-related bugs (CVE-2025-49704, CVE-2025-49706) into new flaws CVE-2025-53770 (deserialization RCE) and CVE-2025-53771 (server spoofing vulnerability). CISA amplified the alert, adding detection details, indicators, and steps to reduce the risks of these vulnerabilities. Shadowserver reports show 420+ exposed vulnerable SharePoint servers; while Bloomberg cites 400+ companies affected. As stated by The Hacker News, those targeted in these campaigns “…include technology consulting, manufacturing, critical infrastructure, and professional services tied to sensitive architecture and engineering organizations.” For more information about this topic, the vulnerabilities, and how to mitigate risks associated with these flaws, check the links below.