What happened. In mid-July 2025, attackers chained two SharePoint zero-days (CVE-2025-53770/53771), rapidly compromising hundreds of orgs across government, healthcare, and finance. CISA added them to KEV and issued analysis, and Microsoft confirmed active exploitation (Storm-2603 and other “Typhoon” groups). Even the U.S. NNSA saw limited impact. Microsoft then restricted early vulnerability sharing (MAPP) for some Chinese firms and stopped distributing PoC code to reduce abuse.
Why it matters. It’s a blueprint for how fast zero-days propagate through on-prem collaboration stacks—and how vendor intel programs themselves can be abused.
Blade’s POV: what to do now.
- Treat collaboration servers as Tier-0: segregate, EDR+inline WAF, and strict egress.
- Patch pathways, not just CVEs: block the full ToolShell chain and watch for living-off-the-land pivots.
- Assume credential theft and rotate secrets tied to SharePoint app pools.
- Run purple-team replay of the ToolShell TTPs against your environment.
Image brief. Editorial photo of SharePoint logo on a laptop in a conference room; caption “Emergency SharePoint zero-day campaign (ToolShell), July 2025.” (Use editorial licensing.) (Example shown above.)
