Introduction

This week’s zero-day exploit targeting Microsoft SharePoint, now referred to as ToolShell, caught organizations off guard. The exploit allowed unauthenticated remote code execution and quickly spread across unpatched SharePoint servers. Moreover, this incorporated a variant of previous vulnerabilities and resulted in the exploitation of an unpatched vulnerability. 

While this scenario is a security team’s nightmare (the mass exploitation of a zero-day), it does highlight a trend we’ve been monitoring for several years - evidence of exploitation within Team Cymru’s data holdings prior to the availability of public exploit code. This type of insight is critical for defenders to be highly tuned into, because it demonstrates how fast and agile attackers have become and why they need to evolve their exposure discovery and related workflows to avert disaster.

Old and busted: "Patch Within SLA."
New paradigm: “Patch Now.”

Our team has been studying how long it takes for exploit code to go from public release to real-world use. We track new PoC (proof-of-concept) exploit posts, then watch for signs of related activity in our data holdings. Our analysis found that, on average, exploitation tends to begin within three hours of public release. In some cases, we saw attacks begin before the PoC exploit code was even posted publicly.

ToolShell was one of those cases.

Source: https://github.com/soltanali0/CVE-2025-53770-Exploit/

‍Source: Pure Signal: Team Cymru Data 

We observed live exploitation on July 18th, 2025. The first case of PoC exploit code was not made public on GitHub until 21 July 2025. While this was a less common case of mass zero-day exploitation occurring, our data and tracking has shown organizations have mere hours in most cases to patch after exploit code becomes public.

The Chinese Connection

On 22 July 2025, the Microsoft Threat Intelligence team disclosed more details following their ongoing investigation into the ToolShell exploit campaign targeting on-premises SharePoint servers. Microsoft assesses that three China-nexus advanced persistent threat (APT) groups have been observed exploiting these vulnerabilities. This includes Linen Typhoon (also known as APT27 or Emissary Panda), Violet Typhoon (also known as APT31 or Judgement Panda), and a third group tracked as Storm-2603, which Microsoft also assesses to be a China-based adversary with medium confidence.

The key takeaway from this pattern is that exploitation is now a collaborative and opportunistic process, not a linear one. Attackers don’t just wait for their zero-day to be discovered or for public proof-of-concept code to emerge—they maximize the window of opportunity by sharing access and techniques within their circles as soon as they suspect the exploit will be exposed. We saw the same dynamic play out during the Hafnium Microsoft Exchange incident in 2021: once defenders started closing in, new intrusion sets appeared in our telemetry, evidence that the exploit was circulating between groups who wanted to extract every last bit of value before defenders could respond.

“Our team sees this sequence repeat with almost every high-impact vulnerability—first a stealthy, targeted phase, then rapid escalation and mass exploitation as news breaks or defenders begin to mobilize.”‍

Josh Hopkins, Team Cymru Threat Research team

For defenders, this reality makes the old patching paradigm obsolete. If you’re waiting for public disclosure, scheduled patch windows, or even internal validation before acting, you are already behind the curve. The evidence shows that by the time an exploit is publicly known, your attack surface has likely already been tested—possibly by multiple threat actors. Patching is not a box to tick off by next Friday. It’s a race against adversaries who move fast, share what works, and rarely give warning. The only viable response is to treat every high-profile vulnerability as actively under attack, prioritize your most exposed and business-critical assets, and compress your patch cycle as much as operationally possible. Anything less is just hoping you aren’t next.

This is not an isolated example. In fact, across six recent high-profile vulnerabilities, we measured an average time-to-exploitation (TTE) of just under four hours. The fastest observed case involved TTE of three days before the GitHub post.

Compliance Policies Don't Match Reality

Most organizations still use fixed patch windows. Some allow up to seven days for critical vulnerabilities. Others may be less dependent on other factors like exploitation in the wild, and published exploit code. These timelines might check boxes for compliance, but they do not reflect what’s actually happening on the Internet.

Once an exploit is out, it is going to be used immediately, if not already. There is no gap between awareness and action. The idea of “patching before exploitation” has become more of an ideal than a strategy. For many organizations, it is already too late by the time they are even aware of the issue.

What You Can Do Now

This situation demands a shift in how we think about vulnerability response. Here’s what we recommend:

• Reduce reliance on third parties for asset discovery, inventory, and attribution, as these will either slow down workflows or not provide the complete and real-time situational awareness your team needs.
• Prioritize and align your actions with business-critical services by collaborating with stakeholders, and focus your efforts on what’s important to avoid precious time being wasted.
• For critical vulnerabilities that attract significant security news attention, assume exploitation is coming sooner than later.
• This is especially true for edge devices and certainly for edge security devices (VPN’s, email security gateways, firewalls). 
• Compress your patch cycle for external systems to under 24 hours.

For customers of our Scout product, a handy search to identify Sharepoint instances of interest is openports.banner.regex = "MicrosoftSharePointTeamServices"

The Bottom Line

ToolShell is a symptom of a larger trend. Exploits are weaponized faster, shared earlier, and deployed more broadly than ever before. Traditional patch windows are no longer enough. If your organization is operating on a schedule built for yesterday’s Internet, you are already behind.

Prioritize, then Patch immediately. Investigate now, but continuously assess. Assume nothing is safe.

Resources

Indicators

131.226.2.6

134.199.202.205

104.238.159.149

188.130.206.168

c34718cbb4c6.ngrok-free[.]app

Source

https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/

Indicators

104.238.159.149

107.191.58.76

96.9.125.147

Source

https://blog.checkpoint.com/research/sharepoint-zero-day-cve-2025-53770-actively-exploited-what-security-teams-need-to-know/

Indicators

96.9.125.147

107.191.58.76

104.238.159.149

Source

https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/

Indicators

103.186.30.186

104.238.159.149

107.191.58.76

96.9.125.147

Source

‍http://trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html

Indicators

45.77.155.170

96.9.125.147

104.238.159.149

107.191.58.76

172.174.82.132

Source

https://censys.com/advisory/cve-2025-53770

Ask our team about exposure discovery and how to transform your situational awareness to real-time to make more informed, better decisions with vulnerabilities.