Hackers believed to be associated with China have leveraged the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint in attacks targeting government agencies, universities, telecommunicati...

Cisco Talos Incident Response observed a surge in attacks exploiting public-facing applications — mainly via ToolShell targeting SharePoint — for initial access, with post-exploitation phishing and ev...

Author(s): Vlad Pasca Warlock ransomware was deployed by exploiting the SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-53771 The ma...

ToolShell exploit activity surged last quarter, appearing in over 60% of Cisco Talos IR cases and driving a sharp rise in public-facing application attacks

Cisco Talos Incident Response observed a surge in attacks exploiting public-facing applications — mainly via ToolShell targeting SharePoint — for initial access, with post-exploitation phishing and…

ToolShell exploit activity surged last quarter, appearing in over 60% of Cisco Talos IR cases and driving a sharp rise in public-facing application attacks

ToolShell exploit activity surged last quarter, appearing in over 60% of Cisco Talos IR cases and driving a sharp rise in public-facing application attacks

China-linked hackers have exploited the ToolShell SharePoint vulnerability, tracked as CVE-2025-53770, shortly after its patch release in July 2025. This vulnerability was used to compromise a telecommunications company in the Middle East, highlighting the persistent threat posed by advanced persistent threat (APT) groups. The exploitation of a patched vulnerability underscores the critical importance of timely patch management and the evolving tactics of state-sponsored cyber actors. The ToolShell SharePoint vulnerability, CVE-2025-53770, was addressed by Microsoft in their July 2025 security updates. However, the successful exploitation of this flaw by Chinese hackers suggests that either the affected organization had not applied the patch in a timely manner or that the attackers had developed a method to bypass the patch. This incident serves as a stark reminder of the challenges organizations face in maintaining robust cybersecurity defenses, particularly against sophisticated adversaries. The breach of a telecommunications company in the Middle East is particularly concerning due to the strategic importance of such infrastructure. Telecommunications networks are critical for national security and economic stability, making them prime targets for state-sponsored cyber espionage and sabotage. The involvement of Chinese hackers indicates a potential geopolitical motive, as such attacks are often aimed at gathering intelligence or disrupting critical services. From a technical perspective, the exploitation of CVE-2025-53770 likely involved sophisticated techniques to bypass security measures. Organizations must prioritize patch management and implement additional security controls, such as network segmentation, intrusion detection systems, and regular security audits. Furthermore, continuous monitoring for signs of exploitation and timely threat intelligence sharing can help mitigate the risks posed by such advanced threats. In conclusion, the exploitation of the patched ToolShell SharePoint vulnerability by China-linked hackers highlights the ongoing challenges in cybersecurity. Organizations must remain vigilant, ensure timely patch management, and adopt a multi-layered security approach to defend against advanced threats. This incident also underscores the need for international cooperation in addressing state-sponsored cyber threats and protecting critical infrastructure.

China-based threat actors exploited ToolShell SharePoint flaw CVE-2025-53770 soon after it was patched in July.

China-based threat actors exploited ToolShell SharePoint flaw CVE-2025-53770 soon after its July patch. China-linked threat actors exploited the ToolShell SharePoint flaw vulnerability, tracked as CVE-2025-53770, to breach a telecommunications company in the Middle East after it was addressed by Microsoft in July 2025. “China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in […]

China-based threat actors exploited ToolShell SharePoint flaw CVE-2025-53770 soon after it was patched in July.