Chinese Hackers Actively Exploiting SharePoint Servers 0-Day Vulnerability in the Wild
Microsoft has confirmed that Chinese state-sponsored threat actors are actively exploiting critical zero-day vulnerabilities in on-premises SharePoint servers, prompting urgent security warnings for organizations worldwide.
The tech giant’s Security Response Center reported coordinated attacks targeting internet-facing SharePoint installations using newly disclosed vulnerabilities that enable authentication bypass and remote code execution.
Key Takeaways
1. CVE-2025-53770/53771 in on-premises SharePoint enables authentication bypass and RCE.
2. Attacks are driven by Chinese state-sponsored groups.
3. Install Microsoft patches (KB5002768/2754/2760).
SharePoint Zero-Day Exploited in Active Attacks
The exploitation campaign centers around CVE-2025-53770, a comprehensive vulnerability that combines authentication bypass and remote code execution capabilities, alongside CVE-2025-53771, which addresses security bypass issues related to the previously disclosed CVE-2025-49706.
These vulnerabilities specifically target on-premises SharePoint Server installations, including SharePoint Server 2016, 2019, and SharePoint Subscription Edition, while SharePoint Online in Microsoft 365 remains unaffected.
Microsoft security researchers have observed threat actors conducting reconnaissance through crafted POST requests to the ToolPane endpoint, followed by successful deployment of malicious web shells named spinstall0.aspx and variants such as spinstall.aspx, spinstall1.aspx, and spinstall2.aspx.
The attackers utilize these web shells to extract critical ASP.NET MachineKey data, enabling persistent access to compromised systems and potential lateral movement within target networks.
Three distinct Chinese threat groups have been identified as primary exploiters of these vulnerabilities. Linen Typhoon, active since 2012, has focused on intellectual property theft targeting government, defense, and human rights organizations.
Violet Typhoon, operational since 2015, specializes in espionage against former government personnel, NGOs, and educational institutions across the United States, Europe, and East Asia.
Additionally, Microsoft tracks Storm-2603, a China-based actor with medium confidence assessment, noted for deploying Warlock and Lockbit ransomware in previous campaigns.
The exploitation attempts began as early as July 7, 2025, with threat actors leveraging these vulnerabilities for initial access before deploying PowerShell-based payloads and establishing persistence mechanisms.
| CVE | Title | CVSS 3.1 Score | Severity |
| CVE-2025-53770 | SharePoint ToolShell Auth Bypass and RCE | 9.8 | Critical |
| CVE-2025-53771 | SharePoint ToolShell Path Traversal | 6.5 | Medium |
Mitigations
Microsoft has released critical security updates for all supported SharePoint versions, including KB5002768 for SharePoint Server Subscription Edition, KB5002754 and KB5002753 for SharePoint 2019, and KB5002760 and KB5002759 for SharePoint 2016.
Organizations must immediately apply these patches while implementing additional protective measures.
Essential mitigation steps include enabling Antimalware Scan Interface (AMSI) in Full Mode, deploying Microsoft Defender Antivirus on all SharePoint servers, and rotating ASP.NET machine keys followed by Internet Information Services (IIS) restart.
Microsoft strongly recommends deploying Microsoft Defender for Endpoint or equivalent solutions to detect post-exploitation activities and considering temporary disconnection from internet access for unpatched systems until security updates can be applied.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
Source link
