Microsoft Urges Immediate Patch Of Critical SharePoint Vulnerabilities
On July 19, 2025, Microsoft's Security Response Center warned that multiple nation-state threat actors are actively exploiting two serious vulnerabilities in on-premises SharePoint servers. These flaws, namely CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution issue, pose a significant risk to unpatched systems exposed to the internet.
While SharePoint Online in Microsoft 365 remains unaffected, organizations using on-premises versions of SharePoint Server 2016, 2019, and the Subscription Edition must act immediately.
Microsoft has released comprehensive security updates that fix the initially reported flaws and address related vulnerabilities CVE-2025-53770 and CVE-2025-53771, which attackers now leverage in their campaigns. More on this shortly. These updates are essential to defending against sophisticated exploitation tactics observed in the wild.
Security researchers at Microsoft have confirmed that three China-linked cyber threat groups, Linen Typhoon, Violet Typhoon, and Storm-2603, are actively exploiting these vulnerabilities. Linen Typhoon and Violet Typhoon have a history of espionage, often targeting organizations tied to governments, think tank organizations, and human rights watchdogs. Meanwhile, Storm-2603 has begun using the SharePoint exploits to deploy ransomware, specifically Warlocks and LockBit, against vulnerable systems.
These attacks begin when a threat actor sends a specially crafted HTTP POST request to a SharePoint server's "ToolPane" endpoint. If the server is unpatched, the attacker can bypass authentication and upload a malicious script, typically spinstall0.aspx. This web shell then enables the attackers to retrieve sensitive cryptographic keys and take further actions inside the compromised network.
In Storm-2603 attacks, once initial access is achieved, they run reconnaissance commands like "whoami" to identify system privileges and use cmd.exe and batch scripts to progress their attack. Microsoft has seen the group disable antivirus protections by directly altering Windows registry settings and maintain access by installing scheduled tasks and modifying web server components.
They have also used credential dumping tools like Mimikatz to steal passwords. Lateral movement through networks is achieved with tools such as PsExec and WMI, and ultimately used to distribute ransomware through altered Group Policy settings.
Microsoft warns that other threat actors are also likely to adopt these exploits quickly, considering the number of servers believed to be compromised, making it crucial for organizations to secure their systems now. Beyond applying the necessary updates, Microsoft recommends enabling the Antimalware Scan Interface (AMSI) in full mode, running Microsoft Defender Antivirus or a comparable solution, and rotating SharePoint's ASP.NET machine keys. Organizations should restart Internet Information Services (IIS) after applying updates and changes.
Microsoft advises deploying Defender for Endpoint and enabling tamper protection, controlled folder access, and attack surface reduction rules for even stronger protection. Additional hardening steps include enabling LSA protection and Credential Guard and running endpoint detection in block mode to stop malicious activities in real time—even if antivirus software fails to catch the intrusion.
Microsoft has provided detailed indicators of compromise (IOCs) and hunting queries to help defenders detect signs of compromise related to the spinstall0.aspx web shell and related activity. The company began observing active exploitation as early as July 7, 2025, and updates its guidance as new information becomes available.
U.S. Nuclear Weapons Agency Hacked in SharePoint Attacks
As if to prove Microsoft's need for urgency, unknown hackers breached the National Nuclear Security Administration (NNSA) network through recently discovered Microsoft SharePoint vulnerabilities. The NNSA, responsible for maintaining the U.S. nuclear weapons stockpile and handling radiological emergencies, confirmed that adversaries exploited a zero-day flaw chain, now commonly called "ToolShell", in on-premises SharePoint servers starting July 18, 2025.
Bleeping Computer reports that the U.S. Department of Energy stated attackers began breaching systems on Friday, July 18, targeting the NNSA via this SharePoint zero-day exploit. The agency minimized the damage by relying primarily on Microsoft 365 cloud infrastructure and strong cybersecurity controls. Only "a very small number of systems" saw impact, and all affected devices are undergoing restoration. Bloomberg sources and the Department of Energy report that no classified or sensitive nuclear information was compromised.
Google analysts, confirming Microsoft announcements, have traced several similar attacks to Linen Typhoon, Violet Typhoon, and Storm‑2603, which also participated in the campaign. Using the ToolShell exploits, which, as stated earlier, comprise CVE‑2025‑53770 and CVE‑2025‑53771, these groups targeted internet-facing SharePoint servers, including those within government networks. Dutch cybersecurity firm Eye Security detected the breach of SharePoint servers on July 18, reporting that at least 54 organizations had already suffered compromises.
Further analysis by cybersecurity firm Check Point showed signs of breaches dating back to July 7, affecting numerous governments, telecoms, and tech enterprises across North America and Western Europe. Eye Security later estimated that attackers had infected over 400 SharePoint servers and penetrated 148 organizations globally. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2025‑53770 to its known exploited vulnerability catalogue, mandating federal agencies to apply patches released by Microsoft within 24 hours.
To thwart similar threats, affected organizations must immediately apply Microsoft's emergency updates. Further, it is strongly advised that admins enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus, rotate ASP.NET machine keys, restart IIS, and monitor for indicators of compromise such as spinstall0.aspx and unusual POST requests to /ToolPane.asp.
Microsoft's message is clear for anyone managing on Microsoft's SharePoint servers: patch now, implement security recommendations, and remain vigilant. The risks are real, the actors are persistent, and the consequences, including ransomware deployment, can be devastating if left unaddressed.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion