Threat actors with connections to China exploited the ToolShell vulnerability in Microsoft SharePoint, targeting organizations worldwide weeks after a patch was released in July 2025. According to a report from Broadcom’s Symantec Threat Hunter Team, the cyber espionage campaign leveraged the flaw to breach entities in the telecommunications, government, and education sectors. The attacks highlight the speed with which state-sponsored groups can weaponize newly disclosed vulnerabilities.

The campaign involved at least three Chinese threat groups, including the known actors Linen Typhoon (also called Budworm) and Violet Typhoon (Sheathminer). These groups weaponized the vulnerability as a zero-day before it was publicly detailed.

Vulnerability Details: CVE-2025-53770

The exploited flaw, tracked as CVE-2025-53770, is a critical vulnerability in on-premise SharePoint servers. It allows an attacker to bypass authentication and achieve remote code execution on a targeted server. Researchers have assessed that CVE-2025-53770 is a patch bypass for two earlier vulnerabilities, CVE-2025-49704 and CVE-2025-49706. The successful exploitation of this bypass demonstrates the persistent efforts by threat actors to find new ways into secured networks even after initial flaws are addressed.

International Targets and Sectors

The scope of the attacks was global. A telecommunications company in the Middle East was confirmed to have been breached. Other confirmed targets of the campaign include government departments in an African country, government agencies across South America, and a university in the U.S. Symantec’s investigation also identified several other likely targets of the espionage activity. These include a state technology agency in another African country, a government department in the Middle East, and a European finance company. The targeting pattern indicates a clear focus on entities with access to sensitive information.