Microsoft SharePoint ToolShell (CVE-2025-53770) widespread exploitation
Exploitation Wave
Summary
Hide ▲
Show ▼
CVE-2025-53770 exploitation against Microsoft SharePoint on-premise servers expanded into a multi-region wave affecting government, university, telecom, and finance targets. The activity matters because attackers used the zero-day for webshell placement, backdoors, and credential dumping, creating persistent-access and domain-compromise risk. Microsoft issued emergency updates on July 21, but the attacks were already spreading across four continents.
Related Happenings
Microsoft releases RoguePlanet Defender security update for CVE-2026-50656
Security Patch Release
H score32
First: 17.06.2026 20:36
Last: 17.06.2026 20:36
Sources 1
About this happening:
**Microsoft** has released a **security update** for **CVE-2026-50656**, remediating **RoguePlanet** in the **Microsoft Malware Protection Engine (mpengine.dll)**. The flaw is a *...
Microsoft releases RoguePlanet Defender security update for CVE-2026-50656
Security Patch ReleaseAbout this happening: **Microsoft** has released a **security update** for **CVE-2026-50656**, remediating **RoguePlanet** in the **Microsoft Malware Protection Engine (mpengine.dll)**. The flaw is a *...
Latest development: 09.07.2026 11:48
Microsoft released security updates for CVE-2026-50656, remediating the RoguePlanet privilege-escalation flaw in Microsoft Malware Protection Engine (mpengine.dll) with version 1.1.26060.3008 and additional defense-in-depth updates. Microsoft said no customer action is required to install the update.
SimpleHelp security update for CVE-2026-48558
Security Patch Release
H score65
First: 15.06.2026 23:06
Last: 15.06.2026 23:06
Sources 1
About this happening:
**SimpleHelp** released **5.5.16** and **6.0 RC2** on **June 9** to fix **CVE-2026-48558**, a critical **OIDC** authentication flaw in **SimpleHelp remote management software** th...
SimpleHelp security update for CVE-2026-48558
Security Patch ReleaseAbout this happening: **SimpleHelp** released **5.5.16** and **6.0 RC2** on **June 9** to fix **CVE-2026-48558**, a critical **OIDC** authentication flaw in **SimpleHelp remote management software** th...
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
H score37
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)
Vulnerability
H score53
First: 05.05.2026 14:56
Last: 05.05.2026 14:56
Sources 1
About this happening:
**CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...
MetInfo CMS unauthenticated PHP code injection actively exploited remote code execution flaw (CVE-2026-29014)
VulnerabilityAbout this happening: **CVE-2026-29014** in **MetInfo CMS** is **actively exploited**, putting **versions 7.9, 8.0, and 8.1** at risk of **remote code execution** and full server takeover. **MetInfo**...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
H score89
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
Timeline
-
22.10.2025 15:56 1 articles · 8mo ago
Microsoft SharePoint ToolShell exploitation wave (CVE-2025-53770)
Initial DisclosureAfter the **July 2025 patch**, China-linked actors began abusing **ToolShell / CVE-2025-53770** against **Microsoft SharePoint** servers, starting with a **telecommunications company in the Middle East** and then broader regional targets.
Show sources
- Chinese Threat Actors Exploit ToolShell SharePoint Flaw Weeks After Microsoft's July Patch — thehackernews.com — 22.10.2025 15:56
-
22.10.2025 13:24 1 articles · 8mo ago
ToolShell disclosed as actively exploited
Initial DisclosureMicrosoft SharePoint on-premise servers were disclosed as an actively exploited zero-day on July 20, 2025 after China-linked hackers leveraged CVE-2025-53770 in attacks against government agencies, universities, telecommunication service providers, and finance organizations.
Show sources
- Sharepoint ToolShell attacks targeted orgs across four continents — www.bleepingcomputer.com — 22.10.2025 13:24
-
22.10.2025 13:24 1 articles · 8mo ago
Microsoft issues emergency SharePoint updates
Mitigation Patch UpdateMicrosoft released emergency updates on July 21, 2025 for SharePoint on-premise servers after CVE-2025-53770 was disclosed as an actively exploited zero-day and identified as a bypass for CVE-2025-49706 and CVE-2025-49704.
Show sources
- Sharepoint ToolShell attacks targeted orgs across four continents — www.bleepingcomputer.com — 22.10.2025 13:24
-
22.10.2025 13:24 1 articles · 8mo ago
Middle East telecom compromise chain
Exploitation ObservedOn July 21, 2025, the affected telecommunications service provider in the Middle East saw CVE-2025-53770 used to plant webshells for persistent access, side-load the Go-based backdoor Zingdoor, launch what appears to be the ShadowPad Trojan, drop KrustyLoader, deploy Sliver, dump credentials with ProcDump, Minidump, and LsassDumper, and use PetitPotam (CVE-2021-36942) for domain compromise.
Show sources
- Sharepoint ToolShell attacks targeted orgs across four continents — www.bleepingcomputer.com — 22.10.2025 13:24
-
22.10.2025 13:24 2 articles · 8mo ago
Broader campaign scope and attribution update
Campaign Scope UpdateOn October 22, 2025, new findings expanded the ToolShell campaign to organizations in the Middle East, South America, the U.S., Africa, and Europe and linked the activity to malware and tooling typically associated with Salt Typhoon, suggesting a larger set of Chinese threat actors than previously known.
Show sources
- Sharepoint ToolShell attacks targeted orgs across four continents — www.bleepingcomputer.com — 22.10.2025 13:24
- Chinese Threat Actors Exploit ToolShell SharePoint Flaw Weeks After Microsoft's July Patch — thehackernews.com — 22.10.2025 15:56