Microsoft has confirmed that Chinese nation-state actors are actively exploiting zero-day vulnerabilities in on-premises SharePoint servers, prompting urgent security updates and immediate patching recommendations for organizations worldwide.
Vulnerability Discovery and Active Exploitation
On July 19, 2025, Microsoft Security Response Center disclosed that multiple Chinese threat actors have been exploiting two critical vulnerabilities affecting on-premises SharePoint servers: CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability.
These vulnerabilities do not affect SharePoint Online in Microsoft 365, but pose significant risks to organizations running on-premises installations.
Microsoft’s investigation reveals that exploitation attempts began as early as July 7, 2025, with threat actors targeting internet-facing SharePoint servers through crafted POST requests to the ToolPane endpoint.
The company has observed rapid adoption of these exploits across multiple threat groups, assessing with high confidence that additional actors will continue integrating these vulnerabilities into their attack campaigns.
Three distinct Chinese threat actors have been identified exploiting these vulnerabilities. Linen Typhoon, active since 2012, focuses on stealing intellectual property from government, defense, and human rights organizations.
Violet Typhoon, operating since 2015, conducts espionage against former government personnel, NGOs, think tanks, and educational institutions across the United States, Europe, and East Asia.
The third actor, Storm-2603, represents a medium-confidence China-based threat group that Microsoft has not linked to other known Chinese actors.
While this group has previously deployed Warlock and Lockbit ransomware, their current objectives regarding the SharePoint exploits remain unclear.
Successful exploitation involves threat actors uploading malicious web shells named variations of “spinstall0.aspx” through crafted POST requests.
These web shells contain commands to retrieve MachineKey data, enabling attackers to steal critical authentication material from compromised SharePoint servers.
The attackers then use this stolen data for persistent access and potential lateral movement within target networks.
Microsoft has released comprehensive security updates for all supported SharePoint Server versions, including Subscription Edition, 2019, and 2016.
The company strongly recommends immediate patching, along with enabling Antimalware Scan Interface (AMSI) in Full Mode and deploying Microsoft Defender Antivirus on all SharePoint servers.
Additional critical steps include rotating SharePoint server ASP.NET machine keys, restarting Internet Information Services, and deploying endpoint detection solutions.
Organizations unable to immediately patch should consider disconnecting servers from the internet or implementing VPN/proxy authentication to limit unauthenticated traffic.
The active exploitation of these zero-day vulnerabilities underscores the persistent threat posed by Chinese nation-state actors and the critical importance of maintaining current security updates across enterprise infrastructure.
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
