ToolShell exploit drives sharp increase in attacks on public-facing applications, Cisco finds

Infosecurity Magazine reports that Cisco's recent Quarterly Trends report found a significant increase in attacks exploiting public-facing applications, driven largely by the ToolShell exploit targeting on-premises Microsoft SharePoint servers.

According to the report, this tactic was observed in more than 60% of Cisco Talos Incident Response cases in the latest quarter, compared to just 10% in the previous one. Nearly 40% of those engagements involved ToolShell activity, with Cisco attributing the surge to two major SharePoint vulnerabilities, known as CVE-2025-53770 and CVE-2025-53771, in mid-July 2025.

These flaws have been exploited by China-based groups Linen Typhoon and Violet Typhoon in campaigns targeting government, defense, academic, and nonprofit sectors. Almost all Talos IR engagements responding to ToolShell activity kicked off within the following 10 days, Cisco said in its report.

The company emphasized the need for stronger network segmentation and consistent patching, warning that unpatched SharePoint servers could enable attackers to move laterally and deploy ransomware within internal environments.