Cyber Resilience

Campaign · all campaigns

SharePoint ToolShell ExploitationC0058 state

🇨🇳 CN

aka SharePoint ToolShell Exploitation

Last updated: 2026-07-03

7attributed CVEs
49ATT&CK techniques
29.3IDF score (tooling uniqueness)
6exclusive CVEs
2021–2026years active

About this actor

The [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058) campaign was conducted in July 2025 and encompassed the first waves of exploitation against incompletely patched spoofing (CVE-2025-49706) and remote code execution (CVE-2025-49704) vulnerabilities affecting on-premises Microsoft SharePoint servers. Later patched and updated as CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabilities were widely exploited including by China-based ransomware actor Storm-2603 and espionage actors [Threat Group-3390](https://attack.mitre.org/groups/G0027) and [ZIRCONIUM](https://attack.mitre.org/groups/G0128). [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058) targeted multiple regions and industries including finance, education, energy, and healthcare across Asia, Europe, and the United States.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)(Citation: Eye Research ToolShell JUL 2025)(Citation: ESET ToolShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL 2025)

Source: MITRE ATT&CK

Activity timeline

Profile

CVERiskCVSSEPSSPublishedProducts
CVE-2025-49706 KEV10.06.50.99882025-07-08see CVE
CVE-2021-28474 8.08.80.50632021-05-11see CVE
CVE-2025-53771 8.06.50.99912025-07-20see CVE
CVE-2026-22584 7.09.80.00372026-01-09see CVE
CVE-2025-23304 5.57.80.01472025-08-13see CVE
CVE-2025-0921 3.56.50.00182025-05-15see CVE
CVE-2025-66478 0.00.00.00002025-12-03see CVE

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
SI-431 / 4963%
CM-627 / 4955%
CM-226 / 4953%
AC-324 / 4949%
AC-623 / 4947%
SI-323 / 4947%
CM-721 / 4943%
AC-219 / 4939%
AC-517 / 4935%
SI-717 / 4935%
CA-716 / 4933%
IA-216 / 4933%
AC-414 / 4929%
CM-514 / 4929%
RA-513 / 4927%

Co-occurring actors

Similar actors

Similar TTPs

Overlapping CVEs

Active in same years

Same nation-state