SharePoint Zero-Day Exploit (ToolShell) - Network Infrastructure Mapping

SUMMARY :

Chinese threat actors have been exploiting zero-day vulnerabilities in SharePoint servers, known as ToolShell, affecting nearly 150 organizations worldwide. The attacks, attributed to groups like Linen Typhoon and Violet Typhoon, began as early as July 17, 2025, targeting government agencies, critical infrastructure, universities, and private enterprises. The exploitation involved chaining multiple vulnerabilities and deploying reconnaissance tools. Attackers utilized a diverse network infrastructure, including cloud services and VPNs across multiple countries, to obscure their origin. The campaign highlights the sophisticated tactics employed by Chinese actors in abusing global telecommunication and cloud infrastructure for cyber espionage operations.

OPENCTI LABELS :

cloud infrastructure,zero-day,reconnaissance,webshell,chinese threat actors,sharepoint,cve-2025-53771,cve-2025-53770,cve-2025-49704,cve-2025-49706,warlock ransomware,network mapping,telecommunication abuse,mapp


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


SharePoint Zero-Day Exploit (ToolShell) - Network Infrastructure Mapping