Article Details

Microsoft Links Ongoing SharePoint Exploits to Three Chinese Hacker Groups. Microsoft has formally tied the exploitation of security flaws in internet-facing SharePoint Server instances to two Chinese hacking groups called Linen Typhoon and Violet Typhoon as early as July 7, 2025, corroborating earlier reports. The tech giant said it also observed a third China-based threat actor, which it tracks as Storm-2603, weaponizing the flaws as well to obtain initial access to target organizations. "With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems," the tech giant said in a report published today. A brief description of the threat activity clusters is below - The vulnerabilities, which affect on-premises SharePoint servers, have been found to leverage incomplete fixes for CVE-2025-49706, a spoofing flaw, and CVE-2025-49704, a remote code execution bug. The bypasses have been assigned the CVE identifiers CVE-2025-53771 and CVE-2025-53770, respectively. In the attacks observed by Microsoft, the threat actors have been found exploiting on-premises SharePoint servers through a POST request to the ToolPane endpoint, resulting in an authentication bypass and remote code execution. As disclosed by other cybersecurity vendors, the infection chains pave the way for the deployment of a web shell named "spinstall0.aspx" (aka spinstall.aspx, spinstall1.aspx, or spinstall2.aspx) that allows the adversaries to retrieve and steal MachineKey data. To mitigate the risk posed by the threat, it's essential that users apply the latest update for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016, rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions. It's also recommended to integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or similar solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode. "Additional actors may use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately," Microsoft said.