A July 8 patch for the SharePoint Server zero-day flaw, which resulted in a global attack on nearly 100 organizations over the weekend starting July 18, had failed to fully patch the flaw.
The flaw was brought to Microsoft’s notice in May during a hacker competition and was shortly addressed with an incomplete patch by the company before it was actively exploited in the wild.
“In today’s landscape, where attackers can reverse patch within hours, the time between disclosure and full remediation is a critical window,” said Shane Barney, CISO, Keeper Security. “It’s essential that vendors continue investing in pre-release testing, use of memory-safe languages, and modern engineering practices that reduce the risk of partial or ineffective fixes.”
Both Microsoft and Google now attribute the attacks to China-aligned threat actors, raising fresh alarms about security risks tied to on-prem SharePoint deployments.
A fix that didn’t stick
The initial patch, released shortly after the zero-day surfaced during a Berlin hacker competition, was insufficient to prevent active exploits, according to Reuters, which reviewed Microsoft’s timeline and confirmed a spokesperson admitted the fix didn’t fully work. Sophos reported that threat actors bypassed the update almost immediately, leading to a rapid compromise of exposed SharePoint servers.
“Microsoft’s incomplete SharePoint fix is not an isolated misstep,” said Mayuresh Dani, Security Research Manager at Qualys. “Patch gaps and failed first-round patches remain common. They allow bugs to be chained with phishing footholds for full compromise, or cause system instability-prompting some admins to delay patching, which prolongs exposure.”
Microsoft subsequently issued a second set of patches that addressed the remaining flaws. However, the rapid timeline from disclosure to exploitation exposed ongoing weaknesses in the vulnerability-to-patch pipeline.
According to a Microsoft advisory, the company initially patched the vulnerabilities, tracked as CVE-2025-49704 and CVE-2025-49706, on July 8, following their disclosure at the May hacker competition. The fix was incomplete, and attackers exploited the same code path. Microsoft later released a second set of patches to fully address the zero-day vulnerability, now tracked as CVE-2025-53770 and CVE-2025-53771.
“Software is complex and highly interconnected – attack surfaces are not always fully understood,” said Trey Ford, CISO at BugCrowd. “That’s why fixes often require iteration to comprehensively address the issue.”
China-linked hackers are exploiting the gap
A Microsoft blog identifies the Chinese-affiliated groups “Linen Typhoon” (APT27) and “Violet Typhoon” (APT31), along with a third suspected state-sponsored actor dubbed Storm-2603, as the likely exploiters of the zero-day.
Google’s Mandiant CTO, Charles Carmakal, labeled at least one actor as “China-nexus,” suggesting espionage motivations.
According to Dani, the shift toward collaboration platforms like SharePoint is no coincidence. “SharePoint acts as a one-stop shop for sensitive documents, source code, HR, and legal content,” he said. “Threat groups have shifted from edge appliances to internal collaboration platforms because those systems deliver both sensitive data and privileged network access.”
The exploit, nicknamed ToolShell, enables remote code execution, key theft, and malware installation on on-prem servers. The US CISA has added CVE-2025-53770 to its known exploited vulnerabilities catalog, urging immediate remediation. Barney warned that state-backed actors are now embedding into business workflows. “They want access to the crown jewels. These platforms house far more than PII–strategic plans, source code, and internal communications. It’s not just about exfiltration anymore, but deep persistent access.”
More Microsoft security news: