What we know
The SharePoint platform, part of the Microsoft 365 suite used to store, share and access documents, is being actively exploited by threat actors. Multiple critical vulnerabilities have been identified so far, including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-54313, and CVE-2025-53771. Each vulnerability poses a significant risk to exposed systems, with remediation steps required to protect businesses from the threat. As of July 24, it’s been reported that over 200 systems have been exploited worldwide.
To proactively protect our clients, CFC has created a proprietary scanning tool to rapidly identify vulnerable and compromised SharePoint systems across our portfolio. We’re sending critical threat notifications to impacted insureds, with guidance on how to close the vulnerabilities. As ever, our cyber security team is on hand to offer support 24/7.
What’s happening?
The exploitation campaign – dubbed ToolShell – involves leveraging multiple interrelated vulnerabilities in Microsoft SharePoint, allowing threat actors to gain unauthorized access and navigate targeted systems. This is done by:
- Using CVE-2025-49706 to spoof authentication headers
- Exploiting CVE-2025-49704 to execute code
- Bypassing patches by using CVE-2025-53770 and CVE-2025-53771
- Deploying web shells to entrench themselves in the environment
Imagine SharePoint as a locked filing cabinet meant only for authorized personnel. These vulnerabilities allow attackers to pick the lock, impersonate staff and even slip in through a side door even after the locks were changed – what’s called a “patch bypass”.
Once inside, threat actors can execute code, steal credentials and even move laterally to other tools, enabling them to monitor communications in secret, steal sensitive documents, and encrypt systems and demand a ransom.
Microsoft has attributed these attacks to Chinese nation-state actors. Groups such as Linen Typhoon and Violet Typhoon - both known for their espionage-focused operations targeting government and NGO sectors - have been active, while Storm-2603 has reportedly used the vulnerabilities to deploy Warlock ransomware.
How to help protect your business
The technical impact of these attacks is significant. To help stay ahead of the threat, we recommend taking the remediation steps provided by Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) as quickly as possible.
On top of these actions, our security team recommends businesses to:
- See Microsoft mitigation guidance for step by step vulnerability patching advice
- Review and apply available patches for SharePoint immediately
- Monitor closely for any signs of suspicious activity or exploitation attempts
- Investigate any outbound or inbound traffic anomalies related to SharePoint services
- Utilize provided detection patterns and IOCs to proactively identify potential compromises
Please note, guidance is subject to change as new intelligence is processed.
Clients can get in touch via our Response app to report any suspicious activity or use the ‘Ask the expert’ function if you have any questions. You can also get in touch via customersupport@cfc.com for any questions or support.
