This Is ‘Just The Beginning’ Of Threats From Microsoft SharePoint Flaw: Researchers

While all patches against ‘ToolShell’ exploits are now available for on-premises SharePoint Servers, attackers will be looking to utilize the vulnerabilities for months to come, security researchers tell CRN.

While Microsoft has now released all patches for on-premises SharePoint Servers to protect against the wave of “ToolShell” attacks, attackers will be looking to exploit the vulnerabilities for months to come and affected organizations should remain highly vigilant, security researchers told CRN.

In part, that’s because patching is not sufficient to evict the threats, with rotation of machine keys being another essential step to ensure attackers no longer have access to systems, the experts said.

“Patches alone won’t keep you secure if actors already got in,” said Cynthia Kaiser, formerly a longtime FBI cybersecurity leader who is now senior vice president at anti-ransomware startup Halcyon.

Ultimately, for companies impacted by the vulnerabilities, there will likely be an “extra measure of diligence and detection” required beyond what they would have seen with previous vulnerabilities, she told CRN.

The ToolShell cyberattack campaign involves exploitation of on-premises Microsoft SharePoint Servers using a critical-severity remote code execution vulnerability (tracked at CVE-2025-53770) chained to a spoofing vulnerability (tracked at CVE-2025-53771).

Researchers have estimated that at least several hundred organizations globally have been compromised so far, reportedly including U.S. government agencies, educational institutions and organizations that manage critical infrastructure.

Even with the impacts seen so far, however, “we really need to think about this just being the beginning of actors operationalizing this vulnerability,” said Kaiser, whose prior roles included serving as deputy assistant director for the FBI Cyber Division. “This could have reverberations for months to come.”

Microsoft released emergency patches to address the vulnerabilities in the SharePoint Server Subscription Edition and SharePoint Server 2019 on Sunday, followed by the remaining fixes for SharePoint Server 2016 on Monday.

In its customer guidance advisory, Microsoft has also called it “critical” that customers rotate their SharePoint server keys, known as ASP.NET machine keys, in addition to patching.

The fact that attackers are exfiltrating the cryptographic keys associated with SharePoint servers is potentially “allowing them to wait until a desired time to exploit those servers,” said Quentin Rhoads-Herrera, vice president for security services at Stratascale, a subsidiary of SHI International, No. 12 on CRN’s Solution Provider 500 for 2025.

Thus, if impacted organizations don’t rotate those cryptographic keys, “they’re essentially leaving themselves exposed to later attacks,” Rhoads-Herrera said.

Among the attackers now actively exploiting vulnerable on-premises Microsoft SharePoint servers, at least one has shown indications of originating from China, according to the assessment of Mandiant researchers.

“We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor,” Charles Carmakal, CTO at Google Cloud-owned Mandiant Consulting said in a statement provided by email Monday.

“It’s critical to understand that multiple actors are now actively exploiting this vulnerability,” he said in the statement. “We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well.”

In its own threat intelligence update post Tuesday, Microsoft disclosed further details suggesting exploitation activity from China-linked attackers.

“As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers,” Microsoft researchers wrote in the post. “In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities.”

A Continuing Risk

Rhoads-Herrera said there is no question that many threat actors will be looking to exploit the vulnerabilities, and the full impacts will likely only become clear down the road.

“We’ll definitely be hearing about this for some time,” he said.

For impacted organizations and their security teams, the threat deserves to be given a high priority even after patching has been completed, according to Rhoads-Herrera. And there may even be additional, related vulnerabilities coming to light for SharePoint Servers.

“Normally, where there is one [vulnerability], there are many,” he said. “Clients should be highly vigilant in their SharePoint instances in the coming weeks and months.”

Meanwhile, Microsoft is pursuing investigations into other attackers exploiting the existing SharePoint Server flaws, Microsoft researchers wrote in the post Tuesday.

“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” the researchers wrote in the post.