Campaign · all campaigns
SharePoint ToolShell ExploitationC0058 state
🇨🇳 CN
aka SharePoint ToolShell Exploitation
Last updated: 2026-07-03
About this actor
The [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058) campaign was conducted in July 2025 and encompassed the first waves of exploitation against incompletely patched spoofing (CVE-2025-49706) and remote code execution (CVE-2025-49704) vulnerabilities affecting on-premises Microsoft SharePoint servers. Later patched and updated as CVE-2025-53770 and CVE-2025-53771, the ToolShell vulnerabilities were widely exploited including by China-based ransomware actor Storm-2603 and espionage actors [Threat Group-3390](https://attack.mitre.org/groups/G0027) and [ZIRCONIUM](https://attack.mitre.org/groups/G0128). [SharePoint ToolShell Exploitation](https://attack.mitre.org/campaigns/C0058) targeted multiple regions and industries including finance, education, energy, and healthcare across Asia, Europe, and the United States.(Citation: Microsoft SharePoint Exploit JUL 2025)(Citation: Palo Alto SharePoint Vulnerabilities JUL 2025)(Citation: Eye Research ToolShell JUL 2025)(Citation: ESET ToolShell JUL 2025)(Citation: Trend Micro SharePoint Attacks JUL 2025)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
- 2025 — 5 CVE published, 1 KEV added
- 2021 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2025-49706 KEV | 10.0 | 6.5 | 0.9988 | 2025-07-08 | see CVE |
CVE-2021-28474 | 8.0 | 8.8 | 0.5063 | 2021-05-11 | see CVE |
CVE-2025-53771 | 8.0 | 6.5 | 0.9991 | 2025-07-20 | see CVE |
CVE-2026-22584 | 7.0 | 9.8 | 0.0037 | 2026-01-09 | see CVE |
CVE-2025-23304 | 5.5 | 7.8 | 0.0147 | 2025-08-13 | see CVE |
CVE-2025-0921 | 3.5 | 6.5 | 0.0018 | 2025-05-15 | see CVE |
CVE-2025-66478 | 0.0 | 0.0 | 0.0000 | 2025-12-03 | see CVE |
T1003T1003.001T1005T1027T1027.002T1027.010T1033T1041T1047T1053T1053.005T1059T1059.001T1059.003T1071T1071.001T1074T1074.001T1082T1083T1090T1105T1112T1119T1140T1190T1484T1484.001T1486T1505T1505.003T1505.004T1552T1552.001T1569T1569.002T1570T1572T1583T1583.001T1585T1585.002T1588T1588.002T1595T1595.002T1620T1657T1685
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 31 / 49 | 63% |
CM-6 | 27 / 49 | 55% |
CM-2 | 26 / 49 | 53% |
AC-3 | 24 / 49 | 49% |
AC-6 | 23 / 49 | 47% |
SI-3 | 23 / 49 | 47% |
CM-7 | 21 / 49 | 43% |
AC-2 | 19 / 49 | 39% |
AC-5 | 17 / 49 | 35% |
SI-7 | 17 / 49 | 35% |
CA-7 | 16 / 49 | 33% |
IA-2 | 16 / 49 | 33% |
AC-4 | 14 / 49 | 29% |
CM-5 | 14 / 49 | 29% |
RA-5 | 13 / 49 | 27% |
Co-occurring actors
- Kimsuky 1 shared CVEs
Similar actors
Similar TTPs
- GALLIUM 0.34
- Operation Wocao 0.33
- C0017 0.33
- Medusa Group 0.31
- Winter Vivern 0.29
Overlapping CVEs
- Kimsuky 0.11
Active in same years
- SolarWinds Compromise 2.00
- APT29 2.00
- Leviathan 2.00
- Kimsuky 2.00
- Volt Typhoon 2.00
Same nation-state
- Night Dragon 1.00
- FunnyDream 1.00
- Operation Wocao 1.00
- C0017 1.00
- Cutting Edge 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00