• Home
  • cyber
  • Microsoft: Disrupting active exploitation of on-premises SharePoint vulnerabilities
cyber Vulnerability

Microsoft: Disrupting active exploitation of on-premises SharePoint vulnerabilities

Jun 16, 2012 3 min read
Microsoft: Disrupting active exploitation of on-premises SharePoint vulnerabilities

Critical SharePoint Vulnerabilities Exploited by Chinese Threat Actors, Leading to Ransomware Attacks

On July 19, 2025, Microsoft disclosed active exploitation of two critical vulnerabilities in on-premises SharePoint servers CVE-2025-49706 (spoofing) and CVE-2025-49704 (remote code execution) which do not affect SharePoint Online. The company released security updates for SharePoint Server 2016, 2019, and Subscription Edition to patch these flaws, along with two additional vulnerabilities (CVE-2025-53770 and CVE-2025-53771), which address related security bypasses.

Threat Actors & Exploitation

Microsoft has observed three Chinese threat groups exploiting these vulnerabilities:

  • Linen Typhoon (active since 2012, targeting government, defense, and human rights organizations).
  • Violet Typhoon (active since 2015, focusing on espionage against former military personnel, NGOs, and media).
  • Storm-2603 (a China-based actor deploying Warlock ransomware since July 18, 2025).

Exploitation begins with a POST request to the ToolPane endpoint, allowing attackers to bypass authentication and execute remote code. Successful breaches lead to web shell deployment (e.g., spinstall0.aspx), MachineKey theft, and lateral movement using tools like Mimikatz, PsExec, and Impacket.

Storm-2603’s Ransomware Attack Chain

  1. Initial Access: Exploits SharePoint vulnerabilities to deploy spinstall0.aspx web shells.
  2. Discovery: Runs whoami and other commands to enumerate privileges.
  3. Persistence: Creates scheduled tasks and manipulates IIS components to load malicious .NET assemblies.
  4. Credential Theft: Uses Mimikatz to extract credentials from LSASS memory.
  5. Lateral Movement: Leverages PsExec, WMI, and Impacket to spread across networks.
  6. Ransomware Deployment: Modifies Group Policy Objects (GPOs) to distribute Warlock ransomware.

Mitigation & Detection

Microsoft urges organizations to:

  • Apply the latest SharePoint security updates immediately.
  • Enable Antimalware Scan Interface (AMSI) in Full Mode and deploy Microsoft Defender Antivirus.
  • Rotate SharePoint ASP.NET machine keys and restart IIS after patching.
  • Monitor for IOCs, including:
    • Web shells (spinstall0.aspx, spinstall1.aspx).
    • Malicious files (IIS_Server_dll.dll, SharpHostInfo.x64.exe).
    • C2 domains (update[.]updatemicfosoft[.]com, msupdate[.]updatemicfosoft[.]com).
    • IP addresses (65.38.121[.]198, 131.226.2[.]6).

Microsoft Defender Protections

Microsoft Defender XDR detects and blocks:

  • Exploitation attempts (Exploit:Script/SuspSignoutReq.A).
  • Web shell activity (Trojan:PowerShell/MachineKeyFinder.DA!amsi).
  • Ransomware behavior (Ransomware-linked threat actor detected).

Organizations using Microsoft Defender Vulnerability Management or External Attack Surface Management (EASM) can identify exposed SharePoint instances and track remediation efforts.

Exploitation activity is expected to increase rapidly, with additional threat actors likely adopting these vulnerabilities. Immediate patching and monitoring are critical to preventing compromise.

Source: https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/

Microsoft_SharePoint cybersecurity rating report: https://www.rankiteo.com/company/microsoft_sharepoint

"id": "MIC1768636894",
"linkid": "microsoft_sharepoint",
"type": "Vulnerability",
"date": "6/2012",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': ['Government',
                                     'Defense',
                                     'NGOs',
                                     'Media',
                                     'Human Rights'],
                        'location': 'Global',
                        'name': 'Microsoft SharePoint Server Users',
                        'type': 'Organizations'}],
 'attack_vector': 'Exploitation of SharePoint vulnerabilities (CVE-2025-49706, '
                  'CVE-2025-49704)',
 'data_breach': {'data_encryption': 'Yes (Warlock ransomware)',
                 'sensitivity_of_data': 'High (credentials, internal '
                                        'communications, proprietary data)',
                 'type_of_data_compromised': ['Credentials',
                                              'Sensitive organizational data']},
 'date_detected': '2025-07-18',
 'date_publicly_disclosed': '2025-07-19',
 'description': 'On July 19, 2025, Microsoft disclosed active exploitation of '
                'two critical vulnerabilities in on-premises SharePoint '
                'servers (CVE-2025-49706 and CVE-2025-49704). These '
                'vulnerabilities were exploited by three Chinese threat groups '
                '(Linen Typhoon, Violet Typhoon, and Storm-2603) to deploy web '
                'shells, steal credentials, and distribute Warlock ransomware. '
                'Microsoft released security updates for SharePoint Server '
                '2016, 2019, and Subscription Edition to patch these flaws.',
 'impact': {'data_compromised': 'Credentials, sensitive data via web shells '
                                'and lateral movement',
            'identity_theft_risk': 'High (credential theft via Mimikatz)',
            'operational_impact': 'Lateral movement, ransomware deployment, '
                                  'potential data exfiltration',
            'systems_affected': 'On-premises SharePoint servers (2016, 2019, '
                                'Subscription Edition)'},
 'initial_access_broker': {'backdoors_established': 'Web shells '
                                                    '(spinstall0.aspx, '
                                                    'spinstall1.aspx)',
                           'entry_point': 'Exploitation of SharePoint '
                                          'vulnerabilities (POST request to '
                                          'ToolPane endpoint)',
                           'high_value_targets': ['Government',
                                                  'Defense',
                                                  'NGOs',
                                                  'Media']},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Immediate patching and monitoring are critical to '
                    'preventing exploitation of critical vulnerabilities. '
                    'Organizations should rotate machine keys and enable AMSI '
                    'to detect web shell activity.',
 'motivation': ['Financial gain', 'Espionage'],
 'post_incident_analysis': {'corrective_actions': ['Patch management '
                                                   'improvements',
                                                   'Enhanced monitoring for '
                                                   'web shell activity',
                                                   'Credential rotation and '
                                                   'machine key updates'],
                            'root_causes': 'Unpatched SharePoint '
                                           'vulnerabilities (CVE-2025-49706, '
                                           'CVE-2025-49704)'},
 'ransomware': {'data_encryption': 'Yes', 'ransomware_strain': 'Warlock'},
 'recommendations': ['Apply SharePoint security updates immediately',
                     'Enable AMSI in Full Mode and deploy Microsoft Defender '
                     'Antivirus',
                     'Rotate SharePoint ASP.NET machine keys and restart IIS '
                     'after patching',
                     'Monitor for IOCs (web shells, malicious files, C2 '
                     'domains/IPs)',
                     'Use Microsoft Defender Vulnerability Management or EASM '
                     'to identify exposed SharePoint instances'],
 'references': [{'date_accessed': '2025-07-19',
                 'source': 'Microsoft Security Response Center'}],
 'response': {'containment_measures': ['Apply SharePoint security updates',
                                       'Enable AMSI in Full Mode',
                                       'Deploy Microsoft Defender Antivirus',
                                       'Rotate SharePoint ASP.NET machine keys',
                                       'Restart IIS after patching'],
              'enhanced_monitoring': 'Microsoft Defender XDR '
                                     '(Exploit:Script/SuspSignoutReq.A, '
                                     'Trojan:PowerShell/MachineKeyFinder.DA!amsi, '
                                     'Ransomware-linked threat actor detected)',
              'remediation_measures': ['Patch SharePoint servers',
                                       'Monitor for IOCs (web shells, '
                                       'malicious files, C2 domains)']},
 'stakeholder_advisories': 'Microsoft urges organizations to apply patches and '
                           'monitor for exploitation activity.',
 'threat_actor': ['Linen Typhoon', 'Violet Typhoon', 'Storm-2603'],
 'title': 'Critical SharePoint Vulnerabilities Exploited by Chinese Threat '
          'Actors, Leading to Ransomware Attacks',
 'type': ['Ransomware', 'Espionage'],
 'vulnerability_exploited': ['CVE-2025-49706',
                             'CVE-2025-49704',
                             'CVE-2025-53770',
                             'CVE-2025-53771']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.