Enterprise platforms often become invisible once they are deeply embedded into daily operations. Teams rely on them for document storage, collaboration, approvals, intranet workflows, and access to internal knowledge. That familiarity can create a dangerous assumption: if the platform is trusted, widely adopted, and actively maintained, it must also be secure by default.

The Microsoft SharePoint breach 2025 challenged that assumption. The ToolShell campaign showed how a microsoft sharepoint vulnerability can move from a technical security issue to a business continuity risk in a matter of days. 

When attackers can bypass authentication, execute code, deploy web shells, and preserve access even after patching, the impact is no longer limited to the application layer. It becomes a risk to data, operations, connected systems, and organisational trust.

This article explains the microsoft breach sharepoint incident, the root causes behind the microsoft sharepoint zero day exploit, and the business impact of the attack.

Microsoft SharePoint Breach 2025 Overview

In July 2025, Microsoft SharePoint Server was targeted through a large-scale exploitation campaign known as ToolShell. The attack chain allowed threat actors to bypass authentication, execute remote code, deploy web shells, and maintain access through stolen ASP.NET machine keys.

The incident was significant because SharePoint is not a niche platform. It is one of the world’s most widely used enterprise content management and intranet platforms, with more than 200 million users across 200,000+ organisations globally.

Because of this scale, the Microsoft SharePoint breach 2025 created risk beyond a single vulnerability. It exposed how an incomplete patch, public exploit reproduction, and persistent attacker access can turn a known security flaw into a global business risk.

Microsoft SharePoint Server and Enterprise Exposure

Microsoft Corporation is the developer of SharePoint Server, one of the world’s most widely deployed enterprise content management and intranet platforms.

SharePoint is used by more than 200 million users globally across more than 200,000 organisations. It has a 67% adoption rate among enterprises and holds a 62% market share in the document collaboration segment. Major users include Fortune 500 companies, government agencies, and critical infrastructure operators across 86 countries.

Microsoft SharePoint Zero-Day Exploit Timeline

The ToolShell breach did not happen in one isolated moment. It unfolded through a sequence of events, beginning with the public demonstration of the exploit chain and leading to confirmed compromises across federal agencies and enterprise environments.

May 2025: SharePoint Exploit Demonstrated at Pwn2Own

At Pwn2Own Berlin 2025, researcher Dinh Ho Anh Khoa of Viettel Cyber Security chained CVE-2025-49704 and CVE-2025-49706 to achieve unauthenticated remote code execution on SharePoint. The exploit won a $100,000 prize and was later named ToolShell.

July 8, 2025: Partial SharePoint Security Patch Released

Microsoft released patches for CVE-2025-49704 and CVE-2025-49706 as part of Patch Tuesday. However, the fix was incomplete because the underlying attack path was not fully closed.

Active exploitation attempts were detected the same day. This meant that organisations could still remain exposed even after applying the initial SharePoint security update.

July 14–18, 2025: ToolShell PoC and Mass Exploitation

On July 14, CODE WHITE GmbH publicly reproduced the exploit chain. Within 72 hours, Eye Security detected the first large-scale attack wave targeting more than 8,000 exposed SharePoint servers. More than 400 organisations were compromised globally.

This was the point where the microsoft sharepoint zero day exploit moved from a known vulnerability to mass exploitation.

July 19–22, 2025: Emergency Patch for CVE-2025-53770 and CVE-2025-53771

Microsoft issued an emergency patch for the bypass vulnerabilities CVE-2025-53770 and CVE-2025-53771. CVE-2025-53770 carried a CVSS score of 9.8, placing it in the critical severity range. CISA also added the vulnerabilities to its Known Exploited Vulnerabilities catalog.

Microsoft attributed the campaign to Linen Typhoon, Violet Typhoon, and Storm-2603.

July 23–24, 2025: Federal Agencies Affected by SharePoint Breach

Several federal agencies were confirmed to be affected, including DHS, HHS, NIH, the National Nuclear Security Administration, and the Defense Intelligence Agency. CISA notified more than 12 federal entities.

Attackers were also able to retain persistent access through stolen ASP.NET machine keys, even on patched systems. This made the SharePoint breach harder to contain because patching alone could not remove attacker access.

Root Causes Behind the Microsoft SharePoint Vulnerability

The ToolShell attack became severe because multiple weaknesses worked together. Each issue increased the impact of the next, turning a known vulnerability into a broad SharePoint exploitation campaign.

1. Authentication Bypass Through a Forged HTTP Header

CVE-2025-49706 exploited a flaw in how SharePoint validated incoming requests. By setting the HTTP Referer header to /_layouts/SignOut.aspx, an attacker could trick the server into treating the request as already authenticated.

No username, password, or session token was required. This single header manipulation became the entry point for the entire attack chain.

2. SharePoint Remote Code Execution Through XML Deserialization

CVE-2025-49704 exploited unsafe XML deserialization in the ToolPane.aspx endpoint. Once the authentication bypass granted access, a specially crafted XML payload triggered arbitrary code execution on the SharePoint server.

The root flaw traces back to CVE-2020-1147, a deserialization issue first identified in 2020 that was never fully closed across all code paths.

3. Patch Bypass and Extended Exposure Window

The July 8 patch addressed the originally disclosed CVEs but left an alternative execution path open. This path was assigned two new CVEs: CVE-2025-53770, with a CVSS score of 9.8, and CVE-2025-53771.

Organisations that applied the first patch and considered themselves protected remained exposed until the emergency SharePoint patch on July 19. This extended the exposure window and gave attackers more time to target vulnerable systems.

4. Machine Key Extraction and Persistent Access

The deployed ToolShell web shell extracted the server’s ASP.NET machine keys, including the ValidationKey and DecryptionKey. These keys allowed attackers to forge __VIEWSTATE tokens that SharePoint accepted as legitimate.

This gave attackers authenticated access on demand. More importantly, the access could persist even after patching unless the keys were rotated. 

Business Impact of the Microsoft SharePoint Breach 2025

The ToolShell breach created serious business risk because of the scale of SharePoint adoption and the number of exposed systems involved. More than 8,000 exposed servers were targeted during the first large-scale attack wave, and over 400 organisations were compromised globally. CISA also notified more than 12 federal entities.

These numbers show why the incident became a major concern for enterprises and government agencies. The affected platform was deeply embedded in business operations, document management, internal collaboration, and connected infrastructure. 

Operational Consequences of Microsoft SharePoint Issues

When SharePoint is compromised, the impact does not stay limited to one application. It can expose internal data, disrupt business workflows, and create a wider security risk across connected systems.

1. Full Server Compromise

Unauthenticated remote code execution gave attackers control over the SharePoint application, its data, and connected infrastructure. For affected organisations, this created immediate risk to internal documents, workflows, user access, and systems connected to SharePoint.

2. Persistent Access Through Stolen ASP.NET Machine Keys

Attackers extracted ASP.NET cryptographic machine keys to maintain access even after patches were applied. This meant that patching alone could not remove the attackers from compromised environments.

Organisations also had to rotate keys, remove web shells, and verify that persistent access had been fully removed.

3. Ransomware Deployment

Storm-2603 deployed Warlock and LockBit ransomware on compromised servers. Microsoft confirmed this activity on July 23, 2025.

This increased the business impact of the Microsoft SharePoint breach 2025 because ransomware can disrupt operations, restrict access to critical systems, and increase recovery costs.

4. Lateral Movement Across Connected Systems

Compromised SharePoint servers are deeply integrated with Active Directory. This allowed attackers to use them as pivot points into domain controllers and other critical systems.

As a result, the breach could extend beyond SharePoint and create wider risk across the organisation’s internal environment. 

How DrupalFit Helps Strengthen Drupal Security Before Issues Escalate

The ToolShell incident shows why security cannot depend on patching alone. Organisations need continuous visibility into vulnerabilities, exposed services, weak encryption, and application-level risks before they become active entry points for attackers.

DrupalFit is a purpose-built security audit platform for Drupal sites. It runs six independent scans across your site's application, network, and encryption layers and returns a severity-rated report.

The table below shows the security checks covered by DrupalFit.

Once the scans are complete, DrupalFit turns the findings into a detailed security audit report. The report presents Critical, Medium, and Low severity issues with clear counts, links each issue to a named CVE or technical finding, and provides a specific fix path for remediation.

It is detailed enough for security engineers to act on and clear enough for non-technical executives to understand the business risk. With DrupalFit’s Status Report integration, these findings are also available directly inside the Drupal admin environment, without manual PDF exports or switching between tools.

DrupalFit does not eliminate zero-days. No platform can. What it helps eliminate is the risk of known, scannable vulnerabilities sitting open on production infrastructure while no one with authority to act knows they exist.

The Bottom Line

The ToolShell breach is a reminder that major security incidents rarely come from one weakness alone. In this case, the risk escalated because authentication bypass, remote code execution, incomplete patching, public exploit reproduction, and persistent access came together.

The lesson is not limited to SharePoint. Any business-critical platform can become an exposure point when known vulnerabilities, open services, weak encryption, or misconfigurations are not continuously monitored.

For Drupal teams, the next step is to make security visible, measurable, and actionable. DrupalFit helps teams do that by combining application scanning, network exposure checks, CVE detection, encryption auditing, and remediation guidance in one platform built for Drupal.

Audit Your Drupal Security Now

Use DrupalFit to uncover known security risks, prioritize the right fixes, and strengthen your Drupal security posture before attackers find the gaps first.