Microsoft has formally tied the exploitation of security flaws in internet-facing SharePoint Server instances to two Chinese hacking groups called Linen Typhoon and Violet Typhoon as early as July 7, 2025, corroborating earlier reports.
The tech giant said it also observed a third China-based threat actor, which it tracks as Storm-2603, weaponizing the flaws as well to obtain initial access to target organizations.
“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” the tech giant said in a report published today.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
A brief description of the threat activity clusters is below –
- Linen Typhoon (aka APT27, Bronze Union, Emissary Panda, Iodine, Lucky Mouse, Red Phoenix, and UNC215), which is active since 2012 and has been previously attributed to malware families like SysUpdate, HyperBro, and PlugX
- Violet Typhoon (aka APT31, Bronze Vinewood, Judgement Panda, Red Keres, and Zirconium), which is active since 2015 and has been previously attributed attacks targeting the United States, Finland, and Czechia
- Storm-2603, a suspected China-based threat actor that has deployed Warlock and LockBit ransomware in the past
The vulnerabilities, which affect on-premises SharePoint servers, have been found to leverage incomplete fixes for CVE-2025-49706, a spoofing flaw, and CVE-2025-49704, a remote code execution bug. The bypasses have been assigned the CVE identifiers CVE-2025-53771 and CVE-2025-53770, respectively.
In the attacks observed by Microsoft, the threat actors have been found exploiting on-premises SharePoint servers through a POST request to the ToolPane endpoint, resulting in an authentication bypass and remote code execution.
As disclosed by other cybersecurity vendors, the infection chains pave the way for the deployment of a web shell named “spinstall0.aspx” (aka spinstall.aspx, spinstall1.aspx, or spinstall2.aspx) that allows the adversaries to retrieve and steal MachineKey data.
To mitigate the risk posed by the threat, it’s essential that users apply the latest update for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016, rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions.
It’s also recommended to integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or similar solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode.
“Additional actors may use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately,” Microsoft said.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Cisco Confirms Active Exploits Targeting ISE Flaws Enabling Unauthenticated Root Access