The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding active exploitation of critical SharePoint vulnerabilities by Chinese nation-state actors, prompting immediate action from organizations running on-premises SharePoint servers.
Microsoft Security Response Center confirmed that threat actors are actively exploiting a vulnerability chain involving CVE-2025-49706 (network spoofing) and CVE-2025-49704 (remote code execution), publicly known as “ToolShell,” which enables unauthorized access to SharePoint systems and full compromise of organizational data.
Microsoft has identified three distinct Chinese threat actors actively exploiting these vulnerabilities since July 7, 2025.
The campaign involves two named nation-state groups: Linen Typhoon and Violet Typhoon, along with another China-based actor tracked as Storm-2603.
Linen Typhoon, operating since 2012, specializes in intellectual property theft targeting government, defense, and human rights organizations, while Violet Typhoon has conducted espionage operations since 2015 against former government personnel, NGOs, think tanks, and media organizations across the United States, Europe, and East Asia.
Storm-2603, assessed with medium confidence as China-based, has previously deployed Warlock and Lockbit ransomware, though Microsoft cannot definitively assess the group’s current objectives regarding these SharePoint exploits.
The rapid adoption of these exploits across multiple threat actors has led Microsoft to assess with high confidence that additional actors will continue integrating them into attacks against unpatched systems.
SharePoint Zero-Day Vulnerabilities
The exploited vulnerability chain affects only on-premises SharePoint servers, not SharePoint Online in Microsoft 365. The attack leverages multiple critical security flaws:
- CVE-2025-49706: Network spoofing vulnerability enabling authenticated access through credential bypass mechanisms.
- CVE-2025-49704: Remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands.
- CVE-2025-53770: Patch bypass vulnerability that circumvents fixes for CVE-2025-49704.
- CVE-2025-53771: Patch bypass vulnerability that circumvents fixes for CVE-2025-49706.
Successful exploitation allows threat actors to gain complete access to SharePoint content, including file systems and internal configurations, and execute arbitrary code over the network.
Attackers have been observed deploying web shells named variations of “spinstall0.aspx” to steal MachineKey data and maintain persistent access to compromised systems.
Microsoft’s threat intelligence indicates attackers are conducting reconnaissance through POST requests to the ToolPane endpoint before executing their exploitation attempts.
Mitigations
CISA strongly recommends organizations immediately apply Microsoft’s comprehensive security updates for all supported SharePoint Server versions, including Subscription Edition, 2019, and 2016.
Critical mitigation steps include configuring Antimalware Scan Interface (AMSI) in SharePoint with Full Mode enabled and deploying Microsoft Defender Antivirus on all SharePoint servers.
Organizations unable to enable AMSI should disconnect affected public-facing SharePoint servers from the internet until official mitigations are applied.
Additional protective measures include rotating ASP.NET machine keys both before and after applying security updates, restarting IIS web servers, and implementing comprehensive logging to identify exploitation activity.
CISA has added CVE-2025-53770, CVE-2025-49706, and CVE-2025-49704 to its Known Exploited Vulnerabilities catalog, emphasizing the critical nature of these threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
 has issued an urgent alert regarding active exploitation of critical SharePoint vulnerabilities.){kind=link}