Just days after the official patch was released, hackers figured out how to bypass the new protections, released the exploit code and started real attacks. This is no longer a potential risk, but rather a deliberate campaign that targets SharePoint — a vulnerability that has not been properly “reinforced” in many internal systems.

On July 18, 2025, the U.S. Department of Energy’s National Nuclear Security Agency (NNSA) was confirmed to be the victim of an intrusion. Although only a few systems have been affected and have not recorded a confidential data leak, the incident has raised concerns among the global cybersecurity community.

In Vietnam, White Hat experts have not recorded similar cases, but the risk is real, especially for units still using SharePoint Server on – premises that have not fully updated their patches.

Biggest breach in the first half of 2025​

A new 0-day sequence (CVE-2025-53770 and CVE -203711) appeared shortly after a previous two-hole patch (C VE- 2020-49704 and C VE – 2039-40706) on July 8, 2015. What’s worrying is that the new vulnerabilities have overcome the patched protection, suggesting hackers are following through on each change to exploit it in new, faster, and more dangerous ways.

Just 6 days later, on July 14, 2025, the mining code (PoC) was publicly announced. This speed left organizations with little time to defend before the offensive tool spread.

Notably, actual mining activity was recorded from July 17, before Microsoft confirmed the vulnerability on July 19. This suggests that the attack groups were at least a few days ahead of the defenders.

In response to the emergency situation, CISA ordered all affected systems to be patched within 24 hours from July 22. This is a rare emergency alert, reflecting the particular severity of the breach.

As of today, July 24, 2025, the deadline has expired. If you’re hesitant to patch it, you’ll be less at risk.

Why is ToolShell more dangerous than the previous breaches?​

Technically, it is a new variant of the previously published vulnerability (CVE – 2025-49704), allowing the attacker to remotely execute malicious code on the server system without any form of authentication. The combination of authentication bypass and remote code execution (RCE) greatly increases the risk.

The vulnerability stems from a mechanism that processes unsafe input data (deserialization), which facilitates bad actors to send into the system encrypted chunks disguised as valid data, thus gaining control of the server.

Even more dangerous, if an attacker obtains an internal security key (MacKey), they can easily create forged payloads, conduct horizontal movements within the system, and maintain access for long periods of time without being detected

Even if the system is patched, without rotating MachineKey or clearing the web shell, hackers keep the “key back”. Maintaining a long – term presence makes post-event management much more complicated.

ToolShell also allows stringing the 4 vulnerabilities CVE-2025-53770, CVZ-210771, CCE-49704, and CCC-2207496 to extend the attack surface, making the system difficult to defend.

Why is SharePoint a target?​

Not only in Vietnam, SharePoint is a popular document management and sharing platform, widely used in state agencies, educational institutions, hospitals, businesses, and many large organizations around the world.

When hacked, it’s not just a place where data is stolen, but a springboard to move deeper into the system. In on-premise models, patch updating is often delayed due to a customizable configuration, outdated systems, and a lack of a timely updating process that creates opportunities for hackers.

Wide, multiple endpoints attack surfaces such as the less – monitored /ToolPane.aspx can also become ideal “backdoors” when holes exist.

Finally, the gap between SharePoint on-premise and cloud releases makes unconverted systems easy to become explicit targets in large-scale scans on the Internet.

Summary​

This incident suggests that internal collaboration platforms are no longer in the safe zone. They’re a portal to the core data, and when they’re hacked, the damage is not just to the document itself.

Patch is a necessary condition, but not sufficient. Patch performance checks, bypass detection, compensation update scheduling should be needed. Secret keys such as MachineKey must be periodically, strictly controlled like an admin account.

If forced to publicize SharePoint, post WAF, close surveillance, network separation, reduced access. Modern defenses can’t rely on signature-based tracking of behavior, unusual detection from PowerShell files, ASPX files, to unknown outbound traffic.

Remove systems that have run out of life cycle such as SharePoint 2013. And just as importantly, organisations rehearse the scenario of a SharePoint hijacking because when it happens, the speed of response is vital.

The attack tools are in place. Patch is available. The other problem is: is your system ready to go before hackers?