A total of 396 compromised systems have been identified following the widespread exploitation of the Microsoft SharePoint zero-day vulnerability ToolShell (CVE-2025-53770/53771).
Eye Security, the Dutch company that discovered the global zero-day, analyzed 27,000 SharePoint servers between July 18 and 23 and confirmed the compromise affected at least 145 unique organizations across 41 countries.
Many commentators have noted that long-term, the number of affected organizations is likely to grow.
The US was the country with the most successfully attacked organizations, making up 31% of the total. Mauritius (8%), Germany (7%) and France (5%) were also among those affected.
Eye Security told Infosecurity that while it couldn’t be certain, Mauritius could have been among the most targeted due to the strong presence of US government entities in the region.
The firm also identified two organizations in Jordan that were affected. Eye Security noted these both experienced an “unusually high volume of attacks.”
Government Organizations Most Targeted
The government sector accounted for 30% of all confirmed infections. Reports have suggested that the US Nuclear Weapons Agency, Department of Homeland Security and Department of Health and Human Services were among the victims, but no official confirmation has come from these agencies at the time of writing.
Large organizations, especially government agencies, typically use on-premises Microsoft SharePoint in their technology stack. Using SharePoint on-premises allows organizations to have greater control over the information they store on these systems.
“From the data, it’s clear this wasn’t a random or opportunistic campaign. The attackers knew exactly what they were looking for,” said Lodi Hensen, VP of Security Operations at Eye Security.
The cybersecurity firm told Infosecurity it was clear the attackers didn’t go after every vulnerable organization.
“Instead, they appeared to focus on those that were likely to be of particular strategic or intelligence value, suggesting a targeted and deliberate approach,” the security firm said.
The firm also said there was a strong suggestion that these organizations were targeted as part of intelligence-led operations.
The education sector accounted for 13% of the attacks worldwide, followed by SaaS providers (9%), telecommunications firms (4%) and power grids (4%).
Attacks Expected to Continue
Eye Security expects continued abuse of the SharePoint flaw in the coming weeks, with ransomware and supply chain threats likely to follow.
Microsoft attributed the initial attacks to China-linked actors including Linen Typhoon, Violet Typhoon and Storm-2603.
However, more recent activity suggests that exploitation is not limited to state-backed groups.
“Once a zero-day becomes public and technical details begin to circulate, other state and non-state actors tend to follow. That includes cybercriminal groups with very different motives, especially those focused on financial gain,” said Hensen.
Low skilled actors may now be able to take advantage of the vulnerability. Eye Security explained that the exploit has now been incorporated into open-source tools like Metasploit, making it trivial for even low-skilled attackers to exploit unpatched systems.
Outside of the three threat actors identified by Microsoft, Eye Security has not attributed the attacks to other groups.
However, the firm told Infosecurity that given the public availability of the exploit, it’s very likely that additional threat actors are also taking advantage of this vulnerability.
Eye Security directly notified its customers and partners about the threat on July 21 and is now urging all organizations using on-premises SharePoint to assume breach, verify patching and conduct thorough threat hunting.
Infosecurity Magazine � ToolShell Deep Dive: The SharePoint Exploit Crisis UncoveredImage credit: jackpress / Shutterstock.com
No tags.
