Microsoft aware of SharePoint security flaw but failed to effectively patch it, timeline shows

A security patch released by Microsoft earlier this month failed to fully fix a critical flaw in the US tech company's SharePoint server software identified at a hacking competition in May, opening the door to a sweeping global cyber espionage operation, according to a timeline of events.

A Microsoft spokesperson confirmed on Tuesday that its initial solution did not work. The spokesperson added that Microsoft had released further patches that fixed the issue.

Around 100 organisations were targeted over the weekend and thousands more are expected to be impacted as other hackers join the fray.

Microsoft said in a blog post that two allegedly Chinese hacking groups, dubbed "Linen Typhoon" and "Violet Typhoon," were exploiting the vulnerabilities, along with another China-based hacking group, in a first wave of attacks.

Charles Carmakal, CTO at Google Cloud’s Mandiant Consulting, also said an initial assessment shows at least one of the actors responsible for the early exploitation is a China-nexus threat actor.

“It's critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well," Carmakal said in a statement sent to Cybernews.

We added Microsoft SharePoint server remote code execution vulnerability CVE-2025-53770 to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattacks. #ToolShell pic.twitter.com/Y6aNU7o1B9

undefined CISA Cyber (@CISACyber) July 20, 2025

Chinese government-linked operatives are regularly implicated in cyberattacks, but Beijing routinely denies carrying out hacking operations. In an emailed statement, the Chinese embassy in Washington said China opposes all forms of cyberattacks and "smearing others without solid evidence."

SharePoint vulnerability identified in May

The SharePoint vulnerability that facilitated the attack was first identified in May at a hacking competition in Berlin organised by cybersecurity firm Trend Micro, which offered cash bounties for discovering computer bugs in popular software.

It offered a $100,000 prize for "zero-day" exploits - which are called that because they leverage previously undisclosed digital weaknesses that could be used against SharePoint, Microsoft's flagship document management and collaboration platform.

A researcher working for the cybersecurity arm of Viettel, a telecommunications firm operated by Vietnam's military, identified a SharePoint bug at the event, dubbed it "ToolShell" and demonstrated a method of exploiting it.

The researcher was awarded $100,000 for the discovery, according to a post on X by Trend Micro's "Zero Day Initiative."

In a statement, Trend Micro said it was the responsibility of vendors participating in its competition to patch and disclose security flaws in "an effective and timely manner" and that "Patches will occasionally fail. This has happened with SharePoint in the past," the statement said.

Kunal Agarwal, Founder & CEO of dope.security told Cybernews that the exploit is yet another example of what happens when organizations expose outdated, on-prem systems to the public internet.

“SharePoint is nearly two decades old, and the on-prem version hasn’t aged well. There are tons of modern, cloud-native alternatives available, and continuing to rely on legacy infrastructure for collaboration is not only risky, it’s unnecessary,” Agarwal said.

“Threat actors today are faster, smarter, and chained exploits like ToolShell prove just how quickly technical debt can become an open door,” he added.

Over 8,000 servers at risk

Microsoft said in a July 8 security update that it had identified the bug, listed it as a critical vulnerability, and released patches to fix it.

About 10 days later, however, cybersecurity firms started to notice an influx of malicious online activity targeting the same software the bug sought to exploit: SharePoint servers.

"Threat actors subsequently developed exploits that appear to bypass these patches," British cybersecurity firm Sophos said in a blog post on Monday.

The pool of potential ToolShell targets remains vast. According to data from Shodan, a search engine that helps identify internet-linked equipment, over 8,000 servers online could theoretically have already been compromised by hackers.

Those servers include major industrial firms, banks, auditors, healthcare companies, and several U.S. state-level and international government entities.

The Shadowserver Foundation, which scans the internet for potential digital vulnerabilities, put the number at a little more than 9,000, while cautioning that the figure was a minimum.

It said most of those affected were in the United States and Germany, and the victims included government organisations.

Germany's federal office for information security, BSI, said on Tuesday it had found SharePoint servers within government networks that were vulnerable to the ToolShell attack, but none had been compromised.