Wide-spread Microsoft security intrusion detected in Germany
In a concerning development, a wave of active cyberattacks has been targeting multiple zero-day vulnerabilities in Microsoft's on-premises SharePoint Servers. The vulnerabilities, identified as CVE-2025-53770, CVE-2025-53771, CVE-2025-49704, and CVE-2025-49706, collectively known as ToolShell, have led to the compromise of hundreds of SharePoint servers worldwide.
These compromises have affected a wide range of organisations, including government bodies, critical infrastructure, universities, and private sectors across Europe, with Germany reporting a significant number of cases. The EU Agency for Cybersecurity (ENISA), the European Commission, CERT-EU, and CSIRTs are closely monitoring the situation and advising all on-premises SharePoint users, particularly those falling under the NIS Directive, to assess and mitigate exposure immediately.
Microsoft issued emergency patches starting in early July 2025, but attackers quickly found bypasses around these updates, escalating attacks throughout the month. The attackers are believed to be primarily affiliated with Chinese nation-state groups, specifically Linen Typhoon, Violet Typhoon, and Storm-2603. Early incidents of exploitation have sometimes led to secondary infections like the Warlock ransomware.
Despite the patches, the danger from the SharePoint vulnerability remains ongoing. Attackers may have already established themselves in the system before the update was installed. It's important to note that not all companies have installed the security update provided by Microsoft.
The attackers are not limited to targeting large corporations. The vulnerability has affected 396 infected servers worldwide, including 145 organisations globally, and ten of these organisations are headquartered in Germany. The European SME sector, which often relies on on-premises solutions for its data centers, is particularly vulnerable.
Criminal groups are using compromised SharePoint access for various malicious activities, not just ransomware attacks. In ransomware attacks, attackers encrypt the data of victims and attempt to extort ransom. Mauritius, with its advancing digitalization, role as a regional financial center, and well-developed digital infrastructure, is increasingly becoming a target of cybercrime.
Eye Security experts warn that criminal groups are now also active, using compromised SharePoint access for potential ransomware attacks. The United States has the highest number of confirmed cases at 18%, followed by Mauritius with 8%.
In response to these threats, it's crucial for organisations to prioritise security updates, implement continuous monitoring, and stay vigilant against cyber threats.
Technology experts are advising all users of on-premises SharePoint servers, particularly those in the European Union, to promptly install the emergency patches issued by Microsoft, as the ToolShell vulnerabilities continue to pose a threat. General-news outlets report that the vulnerabilities are being exploited by Chinese nation-state groups for various malicious activities, including ransomware attacks, and warn that cybersecurity should be a top priority for businesses in light of the ongoing risks.
