VERY IMPORTANT

A zero-day exploit chain named 'ToolShell' is actively targeting on-premises Microsoft SharePoint servers worldwide, potentially affecting thousands of organizations. The attack leverages two critical vulnerabilities (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution and steal cryptographic keys, enabling persistent access even after patches are applied. The threat has evolved to use an in-memory payload, making traditional detection methods unreliable. Chinese state-sponsored threat actors, including Linen Typhoon, Violet Typhoon, and Storm-2603, have been exploiting these vulnerabilities since July 7, 2025. The campaign's impact is significant, with nearly 5% of scanned organizations vulnerable and over 400 confirmed victims.