A significant zero-day vulnerability in Microsoft's on-premises SharePoint software has been actively exploited in a global hacking campaign, compromising government agencies, universities, and corporations.

For attorneys and IP owners who rely on Microsoft products to manage and store sensitive information, this breach represents a critical threat that demands immediate attention. The attack, attributed in part to Chinese nation-state actors, goes beyond a simple intrusion, allowing hackers to steal cryptographic keys that could grant them persistent access even after security patches are applied.

The Anatomy of the "ToolShell" Exploit

The attack, dubbed "ToolShell," targets a previously unknown, or "zero-day," vulnerability in on-premises SharePoint servers. It reportedly does not impact SharePoint Online in Microsoft 365.

Attackers are exploiting a chain of vulnerabilities, now identified as CVE-2025-53770 and CVE-2025-53771, which allows an unauthenticated user to execute code remotely on a server. According to Microsoft, this is a variant of a previously disclosed issue, but the new attack vector was potent enough to catch numerous organizations unprepared.

The implications are severe. "Anybody who’s got a hosted SharePoint server has got a problem," Adam Meyers, senior vice president with cybersecurity firm CrowdStrike, told The Washington Post. "It’s a significant vulnerability.’’

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed it is aware of the active exploitation and has added the vulnerability to its Known Exploited Vulnerability catalog, mandating that federal agencies apply patches.

The gravity of the situation is compounded by the attackers' methods. Once inside a server, they can deploy web shells—malicious scripts that provide a backdoor—and, most alarmingly, steal the server's ASP.NET machine keys. These keys are fundamental to the server's security.

As Benjamin Harris, CEO of watchTowr, explained to The Hacker News, "With these keys in hand, attackers can craft forged __VIEWSTATE payloads that SharePoint will accept as valid—enabling seamless remote code execution. This approach makes remediation particularly difficult—a typical patch would not automatically rotate these stolen cryptographic secrets leaving organizations vulnerable even after they patch."

Attribution and the Specter of State-Sponsored IP Theft

Microsoft Threat Intelligence has directly linked the attacks to sophisticated threat actors.

In a recent report, Microsoft stated:

As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing.

• Linen Typhoon has a history dating back to 2012, focusing on intellectual property theft from government and defense sectors.

• Violet Typhoon has been active since 2015, conducting espionage against a wide range of targets, including NGOs, higher education, and financial institutions.

• Storm-2603, while not definitively linked to other known groups, is also assessed to be a China-based actor.

The involvement of such groups elevates the concern for any organization that manages valuable data and intellectual property. The objective appears to be not just disruption but espionage and data theft, putting trade secrets, proprietary research, and sensitive legal documents at extreme risk.

One U.S. state official reported that attackers had "hijacked" a public document repository, and while some researchers have seen data theft, the potential for destructive "wiper" attacks remains a possibility.

Critical Mitigation Steps for All Organizations

Microsoft has released emergency security updates and provided clear guidance for mitigation. For IP professionals, ensuring their organization's IT and security teams have implemented these steps is paramount.

Simply asking if on-premises systems are "patched" is likely insufficient due to the nature of the key theft.

According to Microsoft, here are the essential actions that must be taken:

1. Apply the July 2025 Security Updates Immediately: Microsoft has issued patches for all supported on-premises versions: SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016. These updates address CVE-2025-53770 and CVE-2025-53771 directly.

2. Enable the Antimalware Scan Interface (AMSI): Microsoft urges all customers to ensure AMSI is turned on and configured to "Full Mode." This feature, when paired with a solution like Defender Antivirus, can "stop unauthenticated attackers from exploiting this vulnerability," according to the company's advisory. For those who cannot enable AMSI, Microsoft recommends disconnecting the server from the internet until it can be patched.

3. Rotate SharePoint Server ASP.NET Machine Keys: This is arguably the most critical step beyond patching. Rotating the machine keys invalidates any keys stolen by attackers, effectively locking them out of the backdoors they created. This must be done after the security updates are applied. The rotation can be performed via PowerShell or through the SharePoint Central Administration site.

4. Restart Internet Information Services (IIS): Following the key rotation, a full restart of IIS on all SharePoint servers is necessary for the new keys to take effect.

5. Hunt for Indicators of Compromise (IOCs): Microsoft and other security firms have published IOCs, such as the file name of the web shell (spinstall0.aspx and its variants) and IP addresses associated with the attackers. Security teams should be actively hunting for these indicators in their environments.

Proactive Vigilance

This large-scale SharePoint attack is a stark reminder of the persistent and evolving threats facing organizations that hold valuable data. For the legal and intellectual property sectors, the risk is existential.

While technologies that facilitate collaboration are indispensable, their security cannot be an afterthought.

IP owners and legal counsel should engage their security teams immediately to confirm not only that patches have been deployed but that the crucial step of machine key rotation has been completed.

This incident serves as an important catalyst for reviewing data governance policies and understanding precisely where sensitive information resides. In an environment where state-sponsored actors are actively targeting intellectual property, a cautious, risk-averse, and proactive security posture is the only viable path forward.

Disclaimer: This is provided for informational purposes only and does not constitute legal or financial advice. To the extent there are any opinions in this article, they are the author’s alone and do not represent the beliefs of his firm or clients. The strategies expressed are purely speculation based on publicly available information. The information expressed is subject to change at any time and should be checked for completeness, accuracy and current applicability. For advice, consult a suitably licensed attorney and/or patent professional.