Overview

• Shadowserver Foundation identified 104 unpatched SharePoint servers in Germany vulnerable to ToolShell, ranking the country second only to the U.S. in global exposure.
• Microsoft released security updates Saturday to address the critical ToolShell zero-day in on-premises SharePoint, which carries a CVSS score of 9.8.
• CISA and the FBI have opened investigations into the breaches and are coordinating with private and public sector partners on mitigation efforts.
• Attackers have exploited the flaw to infiltrate dozens of government and corporate networks, stealing data, passwords and machine keys for persistent access.
• Mandiant Consulting traced at least one initial exploit to a China-linked threat actor while attribution of other intrusions remains under analysis.