Commvault: High-risk gap allows malicious code to be injected
Attackers can exploit security vulnerabilities in the Commvault backup software to inject malicious code, for example. Updates are available.
China Sharepoint CVE
Microsoft SharePoint zero-day exploited in RCE attacks, no patch available
Critical zero-day vulnerabilities in Microsoft SharePoint, tracked as CVE-2025-53770 and CVE-2025-53771, have been actively exploited since at least July 18th, with no patch available and at least 85 servers already compromised worldwide.
US nuclear weapons agency hacked in Microsoft SharePoint attacks
Unknown threat actors have breached the National Nuclear Security Administration's network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain.
Disrupting active exploitation of on-premises SharePoint vulnerabilities
131.226.2[.]6 IP Post exploitation C2 134.199.202[.]205 IP IP address exploiting SharePoint vulnerabilities 104.238.159[.]149 IP IP address exploiting SharePoint vulnerabilities 188.130.206[.]168 IP IP address exploiting SharePoint vulnerabilities 65.38.121[.]198 IP Post-exploitation C2 for Storm-2603
These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint Online in Microsoft 365.
As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers
Microsoft observed multiple threat actors conducting reconnaissance and attempting exploitation of on-premises SharePoint servers through a POST request to the ToolPane endpoint.
In observed attacks, threat actors send a crafted POST request to the SharePoint server, uploading a malicious script named spinstall0.aspx. Actors have also modified the file name in a variety of ways, such as spinstall.aspx, spinstall1.aspx, spinstall2.aspx, etc. The spinstall0.aspx script contains commands to retrieve MachineKey data and return the results to the user through a GET request, enabling the theft of the key material by threat actors
Since 2012, Linen Typhoon has focused on stealing intellectual property, primarily targeting organizations related to government, defense, strategic planning, and human rights.
Since 2015, the Violet Typhoon activity group has been dedicated to espionage, primarily targeting former government and military personnel, non-governmental organizations (NGOs), think tank
using Mimikatz, specifically targeting the Local Security Authority Subsystem Service (LSASS) memory to extract plaintext credentials. The actor moves laterally using PsExec and the Impacket toolkit, executing commands using Windows Management Instrumentation (WMI).
Storm-2603 is then observed modifying Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments.
Fast reverse proxy tool used to connect to C2 IP 65.38.121[.]198
131.226.2[.]6 IP Post exploitation C2
134.199.202[.]205 IP IP address exploiting SharePoint vulnerabilities
104.238.159[.]149 IP IP address exploiting SharePoint vulnerabilities
188.130.206[.]168 IP IP address exploiting SharePoint vulnerabilities
65.38.121[.]198 IP Post-exploitation C2 for Storm-2603
July NNSA hack China UPDATE: Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities | CISA
Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
Microsoft links Sharepoint ToolShell attacks to Chinese hackers
Hackers with ties to the Chinese government have been linked to a recent wave of widespread attacks targeting a Microsoft SharePoint zero-day vulnerability chain.
Reducing the significant risk of known exploited vulnerabilities 211103
Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated August 12) Palo Alto Networks provides the VPN for DOE etc so makes sense they're highly engaged...suggesting it's more than just DOE?
Unit 42 has observed active exploitation of recent Microsoft SharePoint vulnerabilities. Here’s how you can protect your organization.
Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog
Disrupting active exploitation of on-premises SharePoint vulnerabilities
Customer guidance for SharePoint vulnerability CVE-2025-53770
Cyber attacks USA 2025, 2024 TRIED TO HACK FERMILAB BITCHES
List of cyberattacks and ransomware attacks on businesses, organizations, and government entities in the United States.
U.S. nuclear weapons agency affected by cyber attack
National Nuclear Security Administration (NNSA) - Washington, D.C., USA
U.S. research institution affected by cyber attack
Fermi National Accelerator Laboratory (Fermilab) - Batavia, Illinois, USA (Kane County, DuPage County)
Affected via MS Sharepoint.
China behind vast global hack involving multiple US agencies
A significant flaw in a widely used Microsoft product allowed multiple Chinese-linked hacking groups to breach dozens of organizations across the globe and at least two U.S. federal agencies.
Microsoft confirmed in a blog post Tuesday that three Chinese hacking gangs — known as Violet Typhoon, Linen Typhoon and Storm-2603 — are involved in the hacking effort
The first U.S. official said government investigators currently suspect at least “four to five” federal agencies were breached, while more agencies are yet to be fully investigated. The second added they were briefed Monday that “more than one” federal agency was impacted.
SharePoint Under Siege: ToolShell Exploit (CVE-2025-49706 & CVE-2025-49704) - Eye Research
SharePoint Under Siege: ToolShell Exploit (CVE-2025-49706 & CVE-2025-49704)