More details emerged on the ToolShell zero-day attacks targeting SharePoint servers, but confusion remains over the vulnerabilities.

Microsoft has observed three China-based threat actors, Linen Typhoon, Violet Typhoon and Storm-2603, exploiting the SharePoint vulnerabilities

Microsoft is following up and is also releasing a patch for the 2016 edition of Sharepoint. Admins should install this immediately.

The term "zero-day" attack refers to when a previously unknown vulnerability is targeted. Tens of thousands of servers are said to be at risk. While the issue is serious, it differs from several previous vulnerabilities related to Microsoft. The attack only affects on-premises servers; cloud-based servers are unaffected.

Exploitation of the ToolShell RCE zero-day in Microsoft SharePoint continues to gather pace, with evidence emerging of exploitation by nation state-backed threat actors.

M icrosoft has released two emergency patches to address zero-day vulnerabilities that have been found in SharePoint RCE. Actively exploited in attacks, the two flaws (tracked as CVE-2025-53770 and CVE-2025-53771) are both “ToolShell” attacks that compromise services and that build on flaws that were fixed as part of July’s Patch Tuesday updates.

Microsoft has now released a patch, but attackers were not idle over the weekend. Dozens of SharePoint installations fell victim of "ToolShell"

At least 85 servers worldwide have been compromised through a Microsoft service vulnerability that has been used to achieve remote code execution.