Microsoft Says Chinese State Actors Exploit New SharePoint Vulnerabilities: CVE-2025-53770, CVE-2025-49704, CVE-2025-49706, and CVE-2025-53771, Immediate Security Updates Required

Microsoft has sounded the alarm after discovering ongoing, active exploitation of multiple critical SharePoint vulnerabilities in on-premises SharePoint Server deployments. The Microsoft Security Response Center (MSRC) blog published on July 19, 2025, reveals that Chinese nation-state actors, including Linen Typhoon, Violet Typhoon, and Storm-2603, are targeting CVE-2025-53770, CVE-2025-49704, CVE-2025-49706, and CVE-2025-53771 to compromise unpatched SharePoint servers exposed to the internet.

What’s at Stake?

These critical flaws affect on-premises Microsoft SharePoint Servers, including Subscription Edition, 2019, and 2016 versions—but crucially do not impact SharePoint Online in Microsoft 365. They enable attackers to bypass authentication, gain remote code execution, and deploy persistent backdoors, threatening highly sensitive business data and organizational security.

SharePoint Vulnerabilities Under Active Attack

• CVE-2025-53770: Authentication bypass and remote code execution (RCE) via the SharePoint ToolShell endpoint.

• CVE-2025-49706: Previously disclosed post-auth RCE, now exploited in new attack chains.

• CVE-2025-49704: RCE, actively paired with the above by nation-state actors.

• CVE-2025-53771: Path traversal security bypass connected to ToolShell exploits.

Microsoft security teams strongly advise all SharePoint Server customers to install the latest security updates for their respective versions immediately:

• KB5002768 – SharePoint Server Subscription Edition

• SharePoint Server 2019:

  • KB5002754 – Core Security Update

  • KB5002753 – Language Pack Update

• SharePoint Server 2016:

  • KB5002760 – Core Security Update

  • KB5002759 – Language Pack Update

How Are Hackers Exploiting These Vulnerabilities?

Microsoft observed hackers conducting reconnaissance and exploitation through POST requests to the vulnerable SharePoint “ToolPane” endpoint. After bypassing authentication and achieving RCE, threat actors deploy a malicious web shell (commonly named spinstall0.aspx or variants like spinstall1.aspx). This web shell allows attackers to automate further attacks, steal sensitive ASP.NET MachineKey data, and persist access.

Technical Indicators of Compromise:

• Files: spinstall0.aspx, spinstall1.aspx, etc.; debug_dev.js

• Hashes & URLs: SHA-256 example: 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514; c34718cbb4c6.ngrok-free[.]app/file.ps1

• Command and Control IPs: 131.226.2.6, 134.199.202.205, 104.238.159.149, 188.130.206.168

Confirmed Chinese Threat Actors and Their Tactics

1. Linen Typhoon (active since 2012): Targets government, defense, and human rights organizations, typically using drive-by exploits and web shells to steal intellectual property.
2. Violet Typhoon (active since 2015): Focuses on espionage targeting NGOs, media, financial, and health sectors. Persistent vulnerability scanning and web shell deployment after initial access are its hallmarks.
3. Storm-2603: A newer, still-unattributed Chinese threat group, previously linked to Warlock and Lockbit ransomware. Leveraging these SharePoint vulnerabilities, Storm-2603 prioritizes theft of MachineKey data, granting broad access to enterprise server communications and stored credentials.

Defense & Mitigation Steps

Microsoft recommends the following for maximum protection:

1. Patch Immediately:

   • Use the official MSRC links above to download and apply security updates for all supported, on-premises SharePoint Server installations (2016, 2019, Subscription Edition).

2. Enable and Configure Antimalware Scan Interface (AMSI):

   • Make sure AMSI is enabled and running in Full Mode for all servers.

   • If you cannot use AMSI, disconnect the server from the internet or protect it with authenticated VPN/proxy services.

3. Deploy Microsoft Defender Antivirus/Defender for Endpoint:

   • Ensure Microsoft Defender Antivirus is running. Defender for Endpoint can detect, block, and investigate malicious post-exploit activity.

4. Rotate ASP.NET Machine Keys and Restart IIS:

   • After patching, use the Set-SPMachineKey cmdlet (or Central Admin job) to rotate crypto keys and complete the process with an IIS reset.

Further:

• Regularly review your server and application logs for POST requests to ToolPane and the creation or access of suspicious ASPX files.

• Hunt for the provided indicators using Defender XDR, Sentinel, or your SIEM solution.

• Refer to Microsoft’s MITRE ATT&CK mapping for updated detection of relevant tactics, including exploitation of public-facing applications, web shell persistence, and PowerShell execution.

SharePoint Online Not Affected

This campaign currently does NOT impact SharePoint Online or Microsoft 365 customers, reinforcing the security advantage of moving critical workloads to the cloud where zero-day patches and proactive defense are quicker and centrally managed.

Why This Matters

Microsoft assess with high confidence that threat actors will rapidly incorporate these exploits into broad attack campaigns against all unpatched, internet-facing SharePoint servers. Delaying patch application puts organizations at urgent risk—especially as proof-of-concept exploit code is now public and threat actor activity is accelerating.

Resources and Help

• Microsoft’s Official Security Blog on the Exploitation

• Active Exploitation Disruption Overview

• MSRC CVE-2025-53770 Guidance

• Indicators of Compromise & Threat Hunting Queries

• Web Shell Threat Hunting with Sentinel

Stay Updated On Any Other SharePoint Vulnerabilities

For ongoing information, monitor official Microsoft Threat Intelligence LinkedIn, X (formerly Twitter), and msftnewsnow.com for future coverage and expert analysis—including past reports on SharePoint security incidents and how Microsoft’s best practices can minimize risk in hybrid cloud environments.

If your organization relies on on-premises SharePoint: patch immediately, audit for signs of compromise, and improve monitoring of suspicious activity. The window for a safe response is closing fast.

Reporting by msftnewsnow.com. For continuing Microsoft security news, updates, and guides, follow us on the regular.