Chinese Hackers Exploit New SharePoint 0-Day Vulnerabilities in Active Attacks

A urgent guidance on July 19, 2025, warning of active attacks targeting on-premises SharePoint servers by Chinese nation-state actors exploiting critical vulnerabilities CVE-2025-53770 and CVE-2025-53771.

The company has observed multiple threat groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, conducting sophisticated attacks against internet-facing SharePoint installations since early July 2025, prompting immediate security updates across all supported SharePoint versions.

Three distinct Chinese threat actors have been identified exploiting these vulnerabilities in coordinated campaigns.

Linen Typhoon, active since 2012, has focused on intellectual property theft targeting government, defense, and human rights organizations through drive-by compromises and existing exploits.

Violet Typhoon, operational since 2015, conducts espionage operations against former government personnel, NGOs, think tanks, and educational institutions across the United States, Europe, and East Asia by persistently scanning for web infrastructure vulnerabilities.

The third group, Storm-2603, represents a China-based actor with medium confidence attribution, distinguished by their attempts to steal SharePoint MachineKeys through these vulnerabilities.

While Microsoft has observed Storm-2603 deploying Warlock and Lockbit ransomware previously, their current objectives remain unclear.

Microsoft assesses with high confidence that additional threat actors will rapidly adopt these exploits against unpatched SharePoint systems.

SharePoint 0-Day Vulnerabilities

The attacks target on-premises SharePoint servers exclusively, with SharePoint Online in Microsoft 365 remaining unaffected.

Threat actors conduct reconnaissance through POST requests to the ToolPane endpoint, followed by successful exploitation that bypasses authentication and enables remote code execution.

Post-exploitation activities involve deploying web shells, specifically malicious scripts named “spinstall0.aspx” and variants including “spinstall.aspx,” “spinstall1.aspx,” and “spinstall2.aspx”.

These web shells contain commands to retrieve MachineKey data through GET requests, enabling threat actors to steal critical key material from compromised servers.

Microsoft’s advanced hunting queries reveal attackers create files in SharePoint template directories and execute encoded PowerShell commands through w3wp.exe processes.

The sophisticated nature of these attacks demonstrates the threat actors’ deep understanding of SharePoint architecture and exploitation techniques.

Mitigations

Microsoft has released comprehensive security updates for all supported SharePoint versions, including Subscription Edition, 2019, and 2016.

The updates address both CVE-2025-53770 and CVE-2025-53771, providing complete protection against these vulnerabilities.

Customers must apply multiple updates for SharePoint 2016 and 2019 installations, including language pack updates.

Critical mitigation steps include enabling Antimalware Scan Interface (AMSI) with Full Mode configuration and deploying Microsoft Defender Antivirus on all SharePoint servers to block unauthenticated exploitation attempts.

Organizations must rotate SharePoint server ASP.NET machine keys using PowerShell commands Set-SPMachineKey and Update-SPMachineKey, followed by IIS restarts.

Microsoft Defender for Endpoint provides specific alerts including “Possible web shell installation” and “Suspicious IIS worker process behavior” to detect related threat activity.

For organizations unable to immediately enable AMSI, Microsoft recommends disconnecting servers from the internet until security updates are applied, or implementing VPN/proxy authentication to limit unauthenticated traffic.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.