Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft SharePoint ToolShell (CVE-2025-53770) widespread exploitation

Exploitation Wave
First reported
Last updated
Happening score
H score 54
2 unique sources, 2 articles

Summary

Hide ▲

CVE-2025-53770 exploitation against Microsoft SharePoint on-premise servers expanded into a multi-region wave affecting government, university, telecom, and finance targets. The activity matters because attackers used the zero-day for webshell placement, backdoors, and credential dumping, creating persistent-access and domain-compromise risk. Microsoft issued emergency updates on July 21, but the attacks were already spreading across four continents.

Related Happenings

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

Open Happening

MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)

Vulnerability
First: 05.05.2026 14:56 Last: 05.05.2026 14:56 Sources 1

About this happening: **CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...

Open Happening

CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)

Exploitation Wave
First: 04.05.2026 11:25 Last: 04.05.2026 11:25 Sources 1

About this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...

Open Happening

SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets

Campaign
First: 01.05.2026 17:02 Last: 01.05.2026 17:02 Sources 1

About this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...

Open Happening

ClockRemoval.ps1 antivirus-disabling malware activity linked to Dragon Boss Solutions LLC

Malware Activity
First: 15.04.2026 17:40 Last: 15.04.2026 17:40 Sources 1

About this happening: A signed software operation linked to **Dragon Boss Solutions LLC** was observed using **ClockRemoval.ps1** to disable antivirus on **more than 23,000 endpoints worldwide**, raisi...

Open Happening

Timeline

  1. 22.10.2025 15:56 1 articles · 7mo ago

    Microsoft SharePoint ToolShell exploitation wave (CVE-2025-53770)

    Initial Disclosure

    After the **July 2025 patch**, China-linked actors began abusing **ToolShell / CVE-2025-53770** against **Microsoft SharePoint** servers, starting with a **telecommunications company in the Middle East** and then broader regional targets.

    Show sources
    Open in new tab
  2. 22.10.2025 13:24 1 articles · 7mo ago

    ToolShell disclosed as actively exploited

    Initial Disclosure

    Microsoft SharePoint on-premise servers were disclosed as an actively exploited zero-day on July 20, 2025 after China-linked hackers leveraged CVE-2025-53770 in attacks against government agencies, universities, telecommunication service providers, and finance organizations.

    Show sources
    Open in new tab
  3. 22.10.2025 13:24 1 articles · 7mo ago

    Microsoft issues emergency SharePoint updates

    Mitigation Patch Update

    Microsoft released emergency updates on July 21, 2025 for SharePoint on-premise servers after CVE-2025-53770 was disclosed as an actively exploited zero-day and identified as a bypass for CVE-2025-49706 and CVE-2025-49704.

    Show sources
    Open in new tab
  4. 22.10.2025 13:24 1 articles · 7mo ago

    Middle East telecom compromise chain

    Exploitation Observed

    On July 21, 2025, the affected telecommunications service provider in the Middle East saw CVE-2025-53770 used to plant webshells for persistent access, side-load the Go-based backdoor Zingdoor, launch what appears to be the ShadowPad Trojan, drop KrustyLoader, deploy Sliver, dump credentials with ProcDump, Minidump, and LsassDumper, and use PetitPotam (CVE-2021-36942) for domain compromise.

    Show sources
    Open in new tab
  5. 22.10.2025 13:24 2 articles · 7mo ago

    Broader campaign scope and attribution update

    Campaign Scope Update

    On October 22, 2025, new findings expanded the ToolShell campaign to organizations in the Middle East, South America, the U.S., Africa, and Europe and linked the activity to malware and tooling typically associated with Salt Typhoon, suggesting a larger set of Chinese threat actors than previously known.

    Show sources
    Open in new tab