Microsoft identifies China-linked state-sponsored hackers among entities aiming attacks on SharePoint platforms

Microsoft identifies China-linked state-sponsored hackers among entities aiming attacks on SharePoint platforms

Breaking News: Global Cyber Attacks Exploit Vulnerabilities in Microsoft SharePoint Servers

A series of cyber attacks are currently underway, exploiting vulnerabilities in Microsoft SharePoint servers. The vulnerabilities, tracked as CVE-2025-49706 (spoofing vulnerability) and CVE-2025-49704 (remote code execution vulnerability), have been actively exploited by various threat actors, including China-linked hacker teams.

The attacks have compromised dozens of organizations worldwide, including several governments and companies across a wide range of industries. Microsoft has confirmed the involvement of three China-linked actors: Linen Typhoon, Violet Typhoon, and a third, unnamed group known as Storm-2603.

Linen Typhoon is known for targeting government, defense industries, and strategic planning organizations, while Violet Typhoon focuses on government and military officials, non-government organizations, higher education, digital and print media, financial firms, and healthcare organizations in the U.S., Europe, and East Asia. Storm-2603 has been observed deploying the Warlock and LockBit ransomware strains after gaining initial access.

The attacks follow a similar pattern. First, an attacker exploits CVE-2025-49706 by sending a specially crafted HTTP POST request to bypass authentication and gain access to SharePoint's ToolPane.aspx component. This bypass is then used to exploit CVE-2025-49704, an insecure deserialization vulnerability, to deploy a malicious ASPX webshell that can run arbitrary PowerShell commands.

The webshell extracts cryptographic secrets from SharePoint's configuration, allowing stealthy, persistent remote access without detection. The attack payloads bypass standard viewstate tampering validations and execute within SharePoint’s legitimate process, blending with normal traffic and evading detection.

Microsoft has patched these vulnerabilities and assigned them new CVEs: CVE-2025-53770 and CVE-2025-53771, respectively. However, the company is still investigating exploitation by other threat actors and has warned that more hackers will integrate the new vulnerabilities into their attacks on unpatched on-premises SharePoint servers.

Researchers at Palo Alto Networks, Rapid7, and other cybersecurity firms have reported active exploitation of these vulnerabilities in customer environments. The Cybersecurity and Infrastructure Security Agency (CISA) has added both CVE-2025-53770 and CVE-2025-49704 to its Known Exploited Vulnerabilities catalog, urging immediate patching and recommending security best practices.

Microsoft urges organizations to enable AMSI and Defender Antivirus on SharePoint servers, rotate ASP.NET machine keys, and deploy endpoint detection solutions to mitigate risk. In a statement, the company emphasized the critical nature of these vulnerabilities, stating, "These attacks are actively exploited by sophisticated threat actors targeting unpatched systems."

[1] Microsoft Security Blog: Link to the Microsoft Security blog post about the SharePoint vulnerabilities

[2] Palo Alto Networks Unit 42: Link to the Palo Alto Networks Unit 42 blog post about the SharePoint vulnerabilities

[3] Rapid7 Insight: Link to the Rapid7 Insight blog post about the SharePoint vulnerabilities

[4] CISA Known Exploited Vulnerabilities Catalog: Link to the CISA Known Exploited Vulnerabilities Catalog entry for CVE-2025-53770

[5] Microsoft Security Response Center: Link to the Microsoft Security Response Center advisory for the SharePoint vulnerabilities

1. Due to the ongoing ransomware attacks, cybersecurity experts urge general-news outlets to emphasize the importance of cybersecurity in reporting, as the attacks exploit vulnerabilities in Microsoft SharePoint servers, specifically CVE-2025-49706 and CVE-2025-49704.
2. In relation to the cyber attacks, China-linked hacker groups, such as Linen Typhoon, Violet Typhoon, and Storm-2603, have been suspected of deploying Warlock and LockBit ransomware upon gaining access to compromised systems.
3. In line with the tech industry's response, security firms like Microsoft, Palo Alto Networks, Rapid7, and the Cybersecurity and Infrastructure Security Agency (CISA) have published advisories and recommended best practices to protect against these ransomware attacks and patch the new identified vulnerabilities (CVE-2025-53770 and CVE-2025-49704) to ensure enhanced cybersecurity.

Read also: