• 2368 Maritime Dr Unit 250, Elk Grove, CA 95758, United States
  • Mon – Fri: 7:00AM – 7:00PM
  • contactus@bpsemail.com
Follow Us On:
Facebook-f Instagram Linkedin-in Pinterest
  • Home
  • Cyber Security
  • Microsoft Identifies Chinese Hacker Groups Exploiting SharePoint Vulnerabilities
SharePoint vulnerability exploitation

Microsoft Identifies Chinese Hacker Groups Exploiting SharePoint Vulnerabilities

35 Views

Overview

Microsoft has officially attributed ongoing cyberattacks targeting SharePoint Server to three Chinese hacking groups: Linen Typhoon, Violet Typhoon, and Storm-2603. These groups have been actively engaged in SharePoint vulnerability exploitation, focusing particularly on flaws in on-premises SharePoint systems since early July 2025, using sophisticated techniques to gain unauthorized access and deploy malicious web shells.

Technical Breakdown

  • Vulnerabilities Involved:
    • CVE-2025-49706 (spoofing flaw)
    • CVE-2025-49704 (remote code execution)
    • Bypasses: CVE-2025-53771 and CVE-2025-53770
  • Attack Method: Exploitation via POST requests to the ToolPane endpoint, enabling authentication bypass and remote code execution, a method frequently exploited by hackers targeting SharePoint vulnerabilities.
  • Malware Used: Web shell variants named spinstall0.aspx, spinstall1.aspx, etc., used to extract MachineKey data.

Mitigation Recommendations

Microsoft urges all organizations to:

  • Apply the latest updates for SharePoint Server 2016, 2019, and Subscription Edition in order to prevent exploitation of vulnerabilities.
  • Rotate ASP.NET machine keys.
  • Restart IIS services.
  • Enable AMSI in Full Mode.
  • Deploy Microsoft Defender for Endpoint or equivalent security solutions.

Leave A Comment

Your email address will not be published. Required fields are marked *