In a troubling escalation of cybersecurity threats, over 400 Microsoft SharePoint servers have been compromised by ransomware groups, as reported by researchers from Eye Security in late July 2025. The affected servers included various versions of SharePoint, particularly the SharePoint Enterprise Server 2016, SharePoint Server 2019, and the SharePoint Server Subscription Edition. Significantly, high-profile entities such as the US Department of Energy and the National Nuclear Security Administration were targeted, underscoring the severity of the situation, with the US Department of Education also facing breaches.
Cybersecurity experts have identified the primary vulnerabilities exploited in these attacks as CVE-2025-49704, allowing remote code execution, and CVE-2025-49706, which permits network spoofing. Along with these, related vulnerabilities like CVE-2025-53770 and CVE-2025-53771 further complicate security measures, as they extend the original exploit chain. Over 400 systems compromised known collectively as the “ToolShell” exploit chain, these vulnerabilities provide unauthenticated access to SharePoint content, leaving sensitive data vulnerable to exploitation. Furthermore, Microsoft is currently monitoring ongoing exploitation activities by the threat group Storm-2603, emphasizing the urgency for timely response.
Cybersecurity experts have pinpointed critical vulnerabilities enabling remote code execution and network spoofing, complicating defenses against ongoing attacks.
The Chinese hacking group Storm-2603 has emerged as a significant threat actor, deploying Warlock ransomware across the breached SharePoint servers. The deployment is characterized by modifying Group Policy Objects, which facilitates the propagation of ransomware within compromised networks. The financial impact of these breaches could be devastating, with data breach costs averaging $4.45 million per incident.
In addition, attackers have been known to employ tactics like the use of Mimikatz for credential extraction, alongside lateral movement techniques utilizing tools such as PsExec and the Impacket toolkit, enhancing their operational efficiency. The strategic use of webshells and malicious DLLs allows adversaries to maintain control over compromised servers, whereas the encryption of sensitive files disrupts organizational operations.
Importantly, some attacks have been linked to state-backed actors, raising concerns about the geopolitical implications of these cybersecurity breaches. The ongoing exploitation and widespread replication of such attacks signify a persistent threat environment that organizations must navigate in safeguarding their digital assets against increasingly sophisticated adversaries.
