Microsoft has issued an emergency security alert after detecting a deliberate attack campaign targeting the SharePoint Server on – premises, starting July 7, 2025. Three Chinese hacker groups, including Linen Typhoon, Violet Typhoon and Storm-2603, were identified behind the operation. The attacks take advantage of a series of severe vulnerabilities allowing for the ability to bypass authentication, remotely execute code, and hijack internal systems.

SharePoint.png

In particular, on July18, 2025, one of the victims of the intrusion was identified as the National Nuclear Security Agency (NNSA), part of the U.S. Department of Energy. Although only a few systems were affected and no secret data leaks were detected, the incident showed the scale and sophistication of the attack wave. The Microsoft 365 and advanced network defenses helped limit the damage, but this information has made the U.S. cybersecurity community especially wary.

Four vulnerabilities were exploited during the attack:

  • CVE-2025-49706 (spoofing): allows attacker to forge legal user identity during authentication
  • CVE-2025-49704 (remote code execution): allows remote code execution on target SharePoint servers
  • CVE-2025-53770 (ToolShell Auth Bypass and RCE): allows for illegal access to the ToolShell command line environment and malicious code execution without authentication
  • CVE-2025-53771 (ToolShell Path Traversal): allows accessing and editing sensitive files on the system by circumventing the usual directory limit

These vulnerabilities affect the 2016, 2020, and 2009 versions of SharePoint Server and Subscription Edition in – place settings. SharePoint Online was not affected.

Microsoft credited the attacker with sending POST requests to the Endpoint ToolPane for reconnaissance, then uploading to malicious shell sites such as spinstall.aspx, spinstall0.asp x, sp install1.asp X, and spinstall2.aspX. These shells contain MachineKey data collection instructions via GET, which allow stealing ASP.NET authentication information in order to extend the system control scope.

Among the vulnerabilities, CVE-2025-53771 is of the false authentication type (CWE- 287) allowing authenticated accounts to perform spoofing in an intranet environment. Notably, this vulnerability can be linked to CVE-2025-49704 to form a complex sequence of attacks, which in turn hijack the system at a deeper level and maintain long – term access. The surface attacks when the holes are combined are increasingly complex and difficult to detect, posing serious risks to corporate organizations.

Given the severity and spread of the attack sequence, Microsoft quickly released corresponding security patches to prevent the risk of exploitation in practice:

  • KB5002768 for SharePoint Server Subscription Edition
  • KB5002754 and KB 500 2753 for SharePoint Server 2019
  • KB5002760 and KB4003759 for SharePoint Server 2016

Notably, the update to CVE-2025-53771 also upgraded the layers of defenses, including improved authentication mechanisms and strengthened network communication protocols to block spoofing attempts from within.

To protect the system against this wave of attacks, Microsoft recommends the following immediate deployments of defense:

  • Enable AMSI in Full Mode to detect malicious code hidden in server processes and prevent unauthorized execution early on
  • It has the Microsoft Defender Antivirus and ensures periodic updates, helps to identify and remove web shells like spinstall.aspx that hackers are using
  • Ring the ASP.NET authentication key to disable access that the attacker may have gained by stealing the old key
  • Restart the IIS service with the iisreset.exe command in order to apply security changes and remove the malicious working session that remains in memory

CISA added CVE – 2025-53771 to its list of emergency remedial works on July 22, 2015, with a deadline for implementation only one day later. The 24-hour time frame reflects the particular severity of the breach. The agency also emphasized the requirement to disconnect entire expired public-facing SharePoint servers (EOL) or to cease support (eOS). Systems such as SharePoint 2013 and earlier no longer receive patches and must be removed from the official operating infrastructure.

According to WhiteHat experts: “While no trace of the ransomware exploiting this vulnerability sequence directly has been recorded, the combination of authentication bypass and remote code execution is the ideal recipe for data – encoding attacks. We found the risk level to be very high, not only because of the scope of impact but also because of a sharp increase in the exploitation rate. Once the mining tool is publicly shared, every unpatched system becomes a “fat lure.” The slower we update, the closer we are to an attack. “

As Microsoft estimates that APT attack groups will soon integrate this series of vulnerabilities into their attack toolkit, the risk of spreading is clear, especially for those organizations that have not patched the system yet. WhiteHat expert warned: “Not acting now is like inviting the attacker directly into the data center. At that point, not just a web shell, but maybe a whole campaign of encryption, ransom and data theft at a deeper level.

Updating the patch is no longer an option, it’s a vital act in a context where the attacker already has a way to go, just waiting for the opportunity to enter.

Synthetic WhiteHat