Multiple organisations have now been hit by Warlock ransomware deployed on their systems via the dangerous ToolShell vulnerability chain in Microsoft SharePoint Server, Microsoft has revealed.
Earlier this week, Microsoft said that known Chinese state threat actors, Linen Typhoon and Violet Typhoon, were among those exploiting two security bypass vulnerabilities – CVE-2025-53770, which bypasses a remote code execution (RCE) flaw tracked as CVE-2025-49704, and CVE-2025-53771, which bypasses a spoofing flaw, CVE-2025-49706.
It also tentatively attributed some activity to an as-yet unclassified threat actor, Storm-2603, noting that this group had demonstrated some ties to ransomware gangs such as LockBit in the past.
Having firmed up a link to Warlock, Microsoft has now updated information on attribution, indicators of compromise (IoCs), mitigation and protection guidance, and detection and threat hunting.
As of 23 July, data sourced from the Shadowserver Foundation suggests close to 600 SharePoint instances are exposed to the web in the UK – the global figure is closer to 11,000.
Worldwide, the organisation said that about 424 of the total remained vulnerable to CVE-2025-53770 and CVE-2025-53771 as of 23 July. About a quarter of these instances are located in the US.
In a statement, the UK’s National Cyber Security Centre (NCSC) said: “Microsoft and the NCSC are aware that an exploit for this vulnerability exists in the wild and have observed active attacks targeting on-premises SharePoint Server customers, including a limited number in the UK.”
At the time of writing, no ToolShell victims in the UK have been publicly named. In the US, according to Bloomberg – which cited sources familiar with the incident – the National Nuclear Security Administration (NNSA) is among those to have fallen victim.
The NNSA’s core mission is to assure the safe maintenance and management of US nuclear weapons.
Confirmed by the Department of Energy, which it ultimately sits within, the NNSA was described as “minimally impacted” by the attack.
The agency said that other US federal and state bodies, and governments in Europe and the Middle East, had likely been affected, while the Washington Post has added the National Institute of Health (NIH) to the list.
SharePoint users left completely exposed
Kevin Robertson, chief technology officer at managed detection and response (MDR) specialist Acumen Cyber, said the failure of the first patches for CVE-2025-49704 and CVE-2025-29706 to fully address the earlier issues – both addressed in the July 2025 Patch Tuesday drop – had left organisations completely exposed.
“The attackers turning to ransomware are clearly taking advantage of CVE 2025-53770 to gain further access to environments, encrypting sensitive information, before executing ransomware hoping to get a big paycheck,” said Robertson.
“This highlights that it’s not just state-sponsored threat actors benefiting from this dangerous vulnerability. Money-motivated attackers are also jumping on the bandwagon. ”
However, some state-sponsored attackers will also be using ransomware. They could be conducting reconnaissance on networks and then, when they have what they need, dropping ransomware to cause further chaos for victims.
“While we now have data saying 400 victims have been compromised, this could be a drop in the ocean in comparison with the reality. Furthermore, not all organisations will have been able to apply the patch yet, meaning their environments are still wide open,” he added.
