Microsoft Reveals Ongoing Chinese Hacker Exploits Targeting SharePoint Server Vulnerabilities

Incidents involving targeted cyberattacks exploit unpatched software vulnerabilities, highlighting...

Key Metrics

16.49

Heat Index

Impact Level
Medium
Scope Level
Global
Last Update
2025-08-24

Key Impacts

Positive Impacts (5)

Cyber-Security Sector

Zscaler Inc. (ZS)

Palo Alto Networks Inc. (PANW)

Cyber-Insurance Industry

Cloud Infrastructure Providers (AWS, Google Cloud, Azure)

Negative Impacts (2)

Microsoft Corporation (MSFT)

On-Premises Enterprise Software Vendors

Total impacts: 8 | Positive: 5 | Negative: 2

Event Overview

Incidents involving targeted cyberattacks exploit unpatched software vulnerabilities, highlighting reliance on legacy systems and the threat posed by sophisticated actors. These events reveal tensions between technology-dependent organizations and evolving threat landscapes, demonstrating vulnerabilities inherent in on-premises infrastructure compared to cloud alternatives. Recurring patterns of exploitation emphasize persistent security gaps, regulatory concerns, and the challenges organizations face in managing enterprise IT risks in an era of advanced persistent threats.

Collect Records

Microsoft Reports Chinese Hackers Exploiting SharePoint Vulnerabilities

2025-07-24 10:05

On July 19, 2025, the Microsoft Security Response Center (MSRC) published a blog detailing active attacks against on-premises SharePoint servers exploiting two vulnerabilities: CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability. These vulnerabilities affect only on-premises SharePoint servers and not SharePoint Online in Microsoft 365.

Microsoft has released security updates for all supported versions of SharePoint Server, including Subscription Edition, 2019, and 2016, advising customers to apply the updates immediately. Microsoft observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities to target internet-facing SharePoint servers. Another China-based threat group, tracked as Storm-2603, has been observed exploiting these flaws to deploy ransomware. Investigations into other threat actors using these exploits are ongoing.

Microsoft observed multiple threat actors conducting reconnaissance and attempting exploitation of vulnerable servers through POST requests to the ToolPane endpoint. Threat actors who successfully exploited the authentication bypass and remote code execution vulnerabilities were observed using a web shell on compromised servers.

Microsoft recommends customers use supported versions of on-premises SharePoint servers, apply the latest security updates, enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus or equivalent, rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions.

Total records: 1

# Communication technology High technology Monitoring

Federal Raids at California Cannabis Farms Lead to Mass Arrests, Protests, and Clashes

Large-scale law enforcement actions targeting illegal immigration and labor practices at...