%20(1).webp?w=1600&resize=1600,900&ssl=1)
Microsoft has issued urgent security warnings following the discovery of active exploitation campaigns targeting on-premises SharePoint servers, with Chinese nation-state actors leveraging multiple critical vulnerabilities to compromise organizational infrastructure.
The attacks, which began as early as July 7, 2025, have prompted immediate security updates and comprehensive mitigation guidance from the technology giant.
Multiple CVEs Enable Remote Code Execution
The active exploitation involves four distinct vulnerabilities affecting on-premises SharePoint deployments: CVE-2025-49706 (spoofing vulnerability), CVE-2025-49704 (remote code execution), CVE-2025-53770 (SharePoint ToolShell Auth Bypass and RCE), and CVE-2025-53771 (SharePoint ToolShell Path Traversal).
These vulnerabilities exclusively impact on-premises SharePoint Server installations, including versions 2016, 2019, and Subscription Edition, while SharePoint Online in Microsoft 365 remains unaffected.
Microsoft has observed threat actors conducting reconnaissance through POST requests to the ToolPane endpoint, subsequently deploying malicious web shells named spinstall0.aspx and variants such as spinstall.aspx, spinstall1.aspx, and spinstall2.aspx.
The web shell contains commands designed to retrieve MachineKey data through GET requests, enabling threat actors to steal critical authentication material.
Chinese Nation-State Actors Lead Exploitation Campaign
Three distinct Chinese threat groups have been identified as primary actors in these attacks: Linen Typhoon, Violet Typhoon, and Storm-2603.
Linen Typhoon, active since 2012, focuses on intellectual property theft targeting government, defense, and human rights organizations.
Violet Typhoon, operational since 2015, conducts espionage against former government personnel, NGOs, think tanks, and educational institutions across the United States, Europe, and East Asia.
Storm-2603 represents a particularly concerning development, with Microsoft tracking this China-based actor specifically for attempts to steal ASP.NET machine keys via SharePoint vulnerabilities.
While the group has previously deployed Warlock and Lockbit ransomware, Microsoft cannot confidently assess their current objectives.
Immediate Security Updates and Mitigation Required
Microsoft has released comprehensive security updates addressing all affected vulnerabilities, with specific knowledge base articles including KB5002768 for SharePoint Server Subscription Edition, KB5002754/KB5002753 for SharePoint Server 2019, and KB5002760/KB5002759 for SharePoint Server 2016.
Critical mitigation steps include enabling Antimalware Scan Interface (AMSI) integration in Full Mode, deploying Microsoft Defender Antivirus, and rotating SharePoint server ASP.NET machine keys followed by Internet Information Services (IIS) restart using iisreset.exe.
Organizations should also implement the Set-SPMachineKey cmdlet for PowerShell-based key rotation.
The rapid adoption of these exploits has prompted Microsoft to assess with high confidence that additional threat actors will integrate these vulnerabilities into their attack arsenals, emphasizing the critical need for immediate patching and security hardening measures.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The%20attacks,%20which%20began%20as%20early%20as%20July%207,%202025,%20have%20prompted%20immediate%20security%20updates%20and%20comprehensive%20mitigation%20guidance%20from%20the%20technology%20giant.){kind=link}