Ethical Hacking News
Microsoft has formally linked ongoing SharePoint exploits to three Chinese hacker groups, including Linen Typhoon and Storm-2603. The tech giant warns that threat actors will continue to integrate these exploits into their attacks against unpatched on-premises SharePoint systems. To mitigate this risk, organizations are advised to apply the latest updates, rotate machine keys, restart IIS, and deploy Microsoft Defender for Endpoint.
Microsoft has identified three Chinese hacker groups linked to exploits on SharePoint Server instances. The vulnerabilities exploited are related to CVE-2025-53771, CVE-2025-53770, and CVE-2025-49706, allowing threat actors to bypass authentication and execute remote code. Chinese hackers have targeted SharePoint systems before, with previous attacks attributed to groups like Silk Typhoon (Hafnium) and a solo attacker Xu Zewei. Mitigation measures include applying the latest update, rotating ASP.NET machine keys, restarting IIS, and deploying Microsoft Defender for Endpoint. Organizations are advised to integrate Antimalware Scan Interface and configure it to enable Full Mode to protect against these exploits.
Microsoft has recently issued a report that formally ties the exploitation of security flaws in internet-facing SharePoint Server instances to three Chinese hacker groups. The tech giant has also observed a third China-based threat actor, which it tracks as Storm-2603, weaponizing these exploits to obtain initial access to target organizations.
The vulnerabilities in question are related to CVE-2025-53771 and CVE-2025-53770, two spoofing flaws that have been found to leverage incomplete fixes for CVE-2025-49706. The bypasses of these vulnerabilities have allowed threat actors to exploit on-premises SharePoint servers through a POST request to the ToolPane endpoint, resulting in an authentication bypass and remote code execution.
According to Microsoft, this is not the first time that Chinese hackers have targeted SharePoint systems. In March 2021, the adversarial collective tracked as Silk Typhoon (aka Hafnium) was tied to a mass-exploitation activity that leveraged multiple then-zero-days in Exchange Server. Earlier this month, a 33-year-old Chinese national, Xu Zewei, was arrested in Italy and charged with carrying out cyber attacks against American organizations and government agencies by weaponizing the Microsoft Exchange Server flaws.
The threat actors behind these exploits have been identified as Linen Typhoon (aka APT27, Bronze Union, Emissary Panda, Iodine, Lucky Mouse, Red Phoenix, and UNC215), Violet Typhoon (aka APT31, Bronze Vinewood, Judgement Panda, Red Keres, and Zirconium), and Storm-2603. These groups have been linked to malware families like SysUpdate, HyperBro, and PlugX.
Microsoft has assessed with high confidence that threat actors will continue to integrate these exploits into their attacks against unpatched on-premises SharePoint systems. To mitigate this risk, it is essential for users to apply the latest update for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016, rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions.
It's also recommended that organizations integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or similar solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode. Furthermore, the report emphasizes the need for additional security measures to protect against these exploits, as there is a high likelihood of additional actors using these vulnerabilities to target unpatched on-premises SharePoint systems.
The confirmation from Microsoft marks the second time that Beijing-aligned threat actors have targeted the Windows maker. As organizations continue to grapple with the evolving landscape of global cybersecurity threats, it's essential for leaders and security teams to stay vigilant and proactive in mitigating potential risks.
Related Information:
https://www.ethicalhackingnews.com/articles/Micrsoft-Links-Ongoing-SharePoint-Exploits-to-Three-Chinese-Hacker-Groups-A-Growing-Threat-to-Global-Cybersecurity-ehn.shtml
https://thehackernews.com/2025/07/microsoft-links-ongoing-sharepoint.html
https://nvd.nist.gov/vuln/detail/CVE-2025-53771
https://www.cvedetails.com/cve/CVE-2025-53771/
https://nvd.nist.gov/vuln/detail/CVE-2025-53770
https://www.cvedetails.com/cve/CVE-2025-53770/
https://nvd.nist.gov/vuln/detail/CVE-2025-49706
https://www.cvedetails.com/cve/CVE-2025-49706/
Published: Tue Jul 22 15:35:10 2025 by llama3.2 3B Q4_K_M
