A critical zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770/53771 and dubbed ToolShell, has led to the compromise of 396 systems globally. The Dutch cybersecurity firm Eye Security uncovered the widespread exploitation after analyzing over 27,000 SharePoint servers between July 18 and 23.
Their investigation confirmed that at least 145 unique organizations across 41 countries were affected, with the United States accounting for the largest share (31%) of compromised entities, followed by Mauritius (8%), Germany (7%), and France (5%). Mauritius’s unusual prominence may be linked to the presence of U.S. government operations in the region. Two Jordanian organizations also reported particularly high attack volumes.
Government agencies appear to be the primary target, comprising 30% of all confirmed infections. While there is speculation that high-value U.S. departments such as the Nuclear Weapons Agency, the Department of Homeland Security, and the Department of Health and Human Services were among the victims, these agencies have not confirmed involvement. According to Eye Security, the attackers clearly exhibited a selective, intelligence-driven approach, focusing on organizations with strategic value rather than exploiting all vulnerable servers indiscriminately. Other sectors impacted include education (13%), SaaS providers (9%), telecommunications (4%), and power infrastructure (4%).
The threat is far from over. Eye Security warned that the vulnerability will likely be further exploited in the weeks ahead, especially by ransomware groups and actors looking to compromise supply chains. Although Microsoft attributed the original attacks to China-linked actors such as Linen Typhoon and Violet Typhoon, subsequent activity points to broader involvement, including non-state and financially motivated actors. The inclusion of the exploit in open-source tools like Metasploit now makes it accessible even to low-skilled attackers. Eye Security urges all organizations using on-premises SharePoint to assume they may already be compromised, apply all necessary patches, and initiate in-depth threat hunting efforts.
