Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft SharePoint ToolShell (CVE-2025-53770) widespread exploitation

Exploitation Wave
First reported
Last updated
Happening score
H score 42
2 unique sources, 2 articles

Summary

Hide ▲

CVE-2025-53770 exploitation against Microsoft SharePoint on-premise servers expanded into a multi-region wave affecting government, university, telecom, and finance targets. The activity matters because attackers used the zero-day for webshell placement, backdoors, and credential dumping, creating persistent-access and domain-compromise risk. Microsoft issued emergency updates on July 21, but the attacks were already spreading across four continents.

Related Happenings

Microsoft releases RoguePlanet Defender security update for CVE-2026-50656

Security Patch Release
H score32 First: 17.06.2026 20:36 Last: 17.06.2026 20:36 Sources 1

About this happening: **Microsoft** has released a **security update** for **CVE-2026-50656**, remediating **RoguePlanet** in the **Microsoft Malware Protection Engine (mpengine.dll)**. The flaw is a *...

Latest development: 09.07.2026 11:48

Microsoft released security updates for CVE-2026-50656, remediating the RoguePlanet privilege-escalation flaw in Microsoft Malware Protection Engine (mpengine.dll) with version 1.1.26060.3008 and additional defense-in-depth updates. Microsoft said no customer action is required to install the update.

SimpleHelp security update for CVE-2026-48558

Security Patch Release
H score65 First: 15.06.2026 23:06 Last: 15.06.2026 23:06 Sources 1

About this happening: **SimpleHelp** released **5.5.16** and **6.0 RC2** on **June 9** to fix **CVE-2026-48558**, a critical **OIDC** authentication flaw in **SimpleHelp remote management software** th...

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
H score37 First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)

Vulnerability
H score53 First: 05.05.2026 14:56 Last: 05.05.2026 14:56 Sources 1

About this happening: **CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
H score89 First: 04.05.2026 11:25 Last: 04.05.2026 11:25 Sources 1

About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...

Timeline

  1. 22.10.2025 15:56 1 articles · 8mo ago

    Microsoft SharePoint ToolShell exploitation wave (CVE-2025-53770)

    Initial Disclosure

    After the **July 2025 patch**, China-linked actors began abusing **ToolShell / CVE-2025-53770** against **Microsoft SharePoint** servers, starting with a **telecommunications company in the Middle East** and then broader regional targets.

    Show sources
  2. 22.10.2025 13:24 1 articles · 8mo ago

    ToolShell disclosed as actively exploited

    Initial Disclosure

    Microsoft SharePoint on-premise servers were disclosed as an actively exploited zero-day on July 20, 2025 after China-linked hackers leveraged CVE-2025-53770 in attacks against government agencies, universities, telecommunication service providers, and finance organizations.

    Show sources
  3. 22.10.2025 13:24 1 articles · 8mo ago

    Microsoft issues emergency SharePoint updates

    Mitigation Patch Update

    Microsoft released emergency updates on July 21, 2025 for SharePoint on-premise servers after CVE-2025-53770 was disclosed as an actively exploited zero-day and identified as a bypass for CVE-2025-49706 and CVE-2025-49704.

    Show sources
  4. 22.10.2025 13:24 1 articles · 8mo ago

    Middle East telecom compromise chain

    Exploitation Observed

    On July 21, 2025, the affected telecommunications service provider in the Middle East saw CVE-2025-53770 used to plant webshells for persistent access, side-load the Go-based backdoor Zingdoor, launch what appears to be the ShadowPad Trojan, drop KrustyLoader, deploy Sliver, dump credentials with ProcDump, Minidump, and LsassDumper, and use PetitPotam (CVE-2021-36942) for domain compromise.

    Show sources
  5. 22.10.2025 13:24 2 articles · 8mo ago

    Broader campaign scope and attribution update

    Campaign Scope Update

    On October 22, 2025, new findings expanded the ToolShell campaign to organizations in the Middle East, South America, the U.S., Africa, and Europe and linked the activity to malware and tooling typically associated with Salt Typhoon, suggesting a larger set of Chinese threat actors than previously known.

    Show sources