This year, a hacking competition took an unfortunate turn when a critical exploit for Microsoft's SharePoint ended up spiraling out of control in the days following the event. The Toolshell attack chain ended up becoming one of the most severe threats to government agencies and businesses in recent history.
In this article we will break down the timeline of events that led to the eventual compromise of multiple key institutions, including the US Departments of Energy and Homeland Security, nuclear facilities, and countless businesses across the world.

Background

In May of 2025, Berlin hosted Pwn2Own, Trend Micro's flagship hacking competition. The event attracts security researchers from all over the world, offering enticing bounties for the discovery and exploitation of novel security vulnerabilities. At the event, a record-breaking $1,078,750 USD was awarded to researchers for their bug hunting expertise, with companies like VMWare, Red Hat Linux, Windows 11 and Firefox all being tested at the event. Of key interest to these companies is the chance to patch 0-day vulnerabilities before they are seen in the wild. These are particularly dangerous because they represent software vulnerabilities for which there is not yet any known method of detection or defence.

Among the 28 0-day exploits that were showcased at the event, a researcher named Dinh Ho Anh Khoa of Viettel Cyber Security brought forward a novel exploit affecting installations of Microsoft SharePoint. Later dubbing the exploit "toolshell," he was awarded a significant prize of $100,000 USD for his discovery. The exploit relies on a dangerous point of weakness in Microsoft's chained authentication process, essentially allowing bad actors to gain administrator-level access without need for login credentials. The relevant CVE entries for the initial exploitation are CVE-2025-49704 and CVE-2025-49706, however, over the following weeks several other vulnerabilities would be discovered in relation to this exploit, including CVE-2025-53771 and CVE-2025-53770.

The story goes that after news began to circulate of this SharePoint exploit, other parties began trying to reproduce it. Researchers from CODE WHITE, a German cybersecurity firm, posted evidence of their success on July 14th, and later on SecProject would follow suit with a credible reproduction of the toolshell exploit on July 18th. It has been suggested that the proofs that they posted to X was eventually reverse-engineered by multiple other researchers to develop their own versions of the exploit - and naturally, some opportunistic bad actors would also do the same.

This is where the timeline seems to get a little messy. While the suggestion of reverse engineering from the aforementioned security researchers does exist, the first case of the exploit appearing in the wild was detected by Microsoft on July 7th, predating the reproductions noted above. Dustin Childs, the head of threat awareness at Trend Micro, informed journalists that notice of the vulnerability had been given on June 24th, and further notices were given later on July 3rd and July 7th. These notices were protected by NDA and served only to affiliates of Microsoft's Active Protection Program (MAPP), which is designed to give researchers forward notice of critical vulnerabilities, sometimes also including code snippets. Microsoft itself would soon launch an investigation into a potential leak of the vulnerability, as multiple instances of attack were linked to Chinese state actors.
The first patch issued by Microsoft addressing the exploit was distributed on July 8th, almost two months after Pwn2Own took place. The patch was later criticised for failing to adequately address the exploit, and further attacks would continue.

Meanwhile, and perhaps separately to China's abuse of the vulnerability, several open-source proofs of concept for the exploit were cropping up on the clearnet, and the first large-scale toolshell attack was detected on July 18th, and identified 54 separate organisations that had been compromised. Numerous repositories weaponising the exploit began to appear on GitHub throughout the month of July, including a new 0-day adaptation published by user "gboddin" on July 21st. Around this time, a module for Rapid7's Metasploit was also released publicly - Metasploit is an open source pentesting software used by researchers (and bad actors) worldwide, essentially making the exploit available to everybody and easy to perform. Full details of the original exploit as exhibited at Pwn2Own Berlin were released by Viettel Cyber Security on July 24th, themselves referencing Microsoft's ongoing work on patching the increasing number of vulnerabilities associated with the attacks. By late July, the exploit had been effectively patched and conditions for detection had been added to Microsoft's Defender antivirus, though SharePoint attacks would continue into the month of August due to some companies delaying in applying the patches - in Vietnam for example, as of July 24th, only 25% of exposed SharePoint servers had applied the patches issued by Microsoft.

This is an interesting tale overall about how a competition designed to stomp out exploits before they can be abused led to a rapid widescale attack on SharePoint servers the world over. Attacks came from multiple directions - from potential leaks from Microsoft's MAPP program to the reverse engineering of code snippets from other security vendors. Patches for the vulnerabilities, which increased in number as researchers and bad actors continued to innovate new 0-days based on the original exploit, were slow to be issued, slow to be rolled out, and initially ineffective, creating the conditions for a multi-pronged campaign that lasted well over a month.

Aftermath

Among the first detections of the exploit in the wild, Microsoft discovered digital signatures related to three infamous ransomware crews with affiliation to the Chinese state: Linen Typhoon, Violet Typhoon, and Storm-2603. These detections were made as early as July 7th, a week and a half after the first notice from MAPP, and a week before notable proofs of concept were announced on X. These ransomware groups are believed to have used the ToolShell attack chain to deploy 4L4MD4R and Warlock ransomware variants onto enterprise servers, encrypting all files and demanding a ransom paid in bitcoin. A cybercrime outfit named LuckyMouse, another group of Chinese origin, was also identified as using ToolShell. The presence of state actors known for espionage as well as ransomware groups suggests multiple motivations for attack, and indicates that there were several campaigns using ToolShell being conducted concurrently.

As far as the damage caused, attackers likely chose targets from among the 16,000 publicly exposed SharePoint servers across the world. Eye Security initially disclosed their discovery of over 400 compromised networks following the first waves of the attack, including critical governmental agencies such as America's National Nuclear Security Administration, as well as the Department of Energy and Department of Homeland Security. Research suggests that attacks carried out between July 17th and July 22nd disproportionately affected businesses in western Europe and the United States.

Lessons Learnt

While services such as SharePoint are well maintained, operated by respectable companies and receive frequent patches, they should never be considered invulnerable. Always keep your software updated, ensure that you have an updated antivirus software running, and consider rotating machine keys - an important step for compromised systems that will prevent the attacker from reusing authentication keys even after patches have been issued. In addition, network operators should seek to manually configure their firewall blacklist to include IP addresses listed among published Indicators of Compromise (IOCs) from security research firms.

Sources

https://x.com/_l0gg/status/1943256506675401106 
https://x.com/ViettelCyberSec 
https://www.securityweek.com/hackers-earn-over-1-million-at-pwn2own-berlin-2025/ 
https://x.com/codewhitesec/status/1944743478350557232 
https://x.com/irsdl/status/1946166765316161634 
https://www.helpnetsecurity.com/2025/07/20/microsoft-sharepoint-servers-under-attack-via-zero-day-vulnerability-with-no-patch-cve-2025-53770/ 
https://www.microsoft.com/en-us/msrc/mapp 
https://www.cryptopolitan.com/microsoft-investigates-sharepoint-exploit/ 
https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2025-patch-tuesday-fixes-one-zero-day-137-flaws/ 
https://research.eye.security/sharepoint-under-siege/ 
https://www.bleepingcomputer.com/news/security/ransomware-gangs-join-attacks-targeting-microsoft-sharepoint-servers/ 
https://gist.github.com/gboddin/6374c04f84b58cef050f5f4ecf43d501 
https://blog.viettelcybersecurity.com/sharepoint-toolshell/ 
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ 
https://blog.viettelcybersecurity.com/toolshell-a-critical-sharepoint-vulnerability-chain-under-active-exploitation/ 
https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/ 

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.