Listen to this Post

Cyberattacks Target On-Premises SharePoint Servers in New Global Espionage Wave
On July 19, 2025, Microsoft issued a stark warning through its Security Response Center: several critical vulnerabilities are being actively exploited in on-premises SharePoint servers, placing thousands of organizations at serious risk. The vulnerabilities—CVE-2025-49706 and CVE-2025-49704—are currently under attack, with Microsoft attributing the activity to Chinese state-sponsored groups. While SharePoint Online remains unaffected, on-premises deployments of SharePoint Server (2016, 2019, and Subscription Edition) are directly vulnerable. The company has released urgent security patches, but threat actors are moving fast, using sophisticated tactics to breach systems and deploy malicious web shells for persistence and further exploitation. Organizations that fail to act swiftly may find themselves compromised by cyber-espionage operations aimed at stealing sensitive machine keys and potentially executing ransomware payloads. Microsoft emphasizes immediate patching, AMSI configuration, Defender integration, and machine key rotation to counter these active threats. Failure to act exposes systems to repeat attacks, data breaches, and potential lateral movement within critical infrastructure.
Coordinated Exploitation by Nation-State Actors
Active Exploits in the Wild
Microsoft confirmed that CVE-2025-49706 (a spoofing vulnerability) and CVE-2025-49704 (a remote code execution flaw) are being actively exploited. These vulnerabilities affect only on-premises SharePoint servers, sparing SharePoint Online users. Microsoft’s updates patch related vulnerabilities CVE-2025-53770 and CVE-2025-53771.
Chinese Nation-State Attribution
The threat actors identified include three Chinese state-linked groups: Linen Typhoon, Violet Typhoon, and Storm-2603. Linen Typhoon has targeted government and defense entities since 2012, while Violet Typhoon focuses on espionage against NGOs, academia, and media. Storm-2603, though less known, has been linked to prior ransomware deployments, such as Warlock and Lockbit.
Exploitation Methodology
Threat actors exploited SharePoint’s ToolPane endpoint using POST requests. Successful attacks led to web shell deployment using malicious scripts like spinstall0.aspx, which allowed attackers to exfiltrate ASP.NET MachineKey material. File variations and PowerShell payloads allowed threat persistence and further control over the server environment.
Mitigation Strategy
Microsoft urges all on-premises SharePoint users to:
Apply the latest updates (KB5002768, KB5002754, KB5002753, KB5002760, KB5002759).
Enable Antimalware Scan Interface (AMSI) in Full Mode.
Deploy Microsoft Defender Antivirus or equivalent solutions.
Rotate ASP.NET MachineKeys post-patching.
Restart IIS and consider disconnection or VPN protection if AMSI can’t be enabled.
Indicators of Compromise
Microsoft provides a set of IOCs including file names (e.g., spinstall0.aspx, debug_dev.js), malicious IPs (e.g., 131.226.2.6), SHA-256 hashes, and URLs used for command-and-control (e.g., ngrok-free tunnels).
Defender & Sentinel Coverage
Microsoft Defender XDR detects suspicious script behavior, anomalous PowerShell activity, and dropped web shells. Sentinel customers can run threat hunting queries to match IOCs. Threat intelligence data is also available via Microsoft Security Copilot.
What Undercode Say:
The Geopolitical Angle
The involvement of Chinese nation-state actors underscores how cybersecurity is no longer just an IT issue but a geopolitical flashpoint. These campaigns are not mere ransomware attacks for profit. They’re coordinated intelligence-gathering missions. Linen Typhoon and Violet Typhoon, with their longstanding history in cyber-espionage, point to a broader intelligence objective: collecting sensitive data from strategic sectors and weakening Western infrastructure from within.
Exploits That Bypass Trust
The vulnerabilities exploited allow attackers to bypass authentication and execute remote code, meaning attackers don’t need valid credentials to breach systems. This is a chilling reminder that perimeter-based security is no longer sufficient. Attackers are penetrating trusted internal systems without detection, and once in, they’re extracting encryption keys that can unlock even more sensitive data.
Obsolete Deployment Models Are a Ticking Time Bomb
Microsoft’s update emphasizes that SharePoint Online is unaffected—highlighting the increasing security advantage of cloud-based services. On-premises environments, often neglected in patch cycles and difficult to monitor, remain an attractive target for attackers. Legacy infrastructure, while functional, lacks the layered security baked into modern cloud services, making it more susceptible to zero-day and nation-state exploitation.
Weaponized Web Shells
The use of .aspx-based web shells (spinstall0.aspx variants) reflects a return to reliable, stealthy attack methods. These payloads blend in with regular SharePoint activity and are hard to detect unless behavioral analytics are in place. Web shells can be leveraged for lateral movement, backdoors, or launching ransomware payloads—putting an entire network at risk beyond just the initial server.
The AMSI Imperative
The Antimalware Scan Interface (AMSI), especially in Full Mode, is a critical line of defense. Its deep integration into SharePoint’s scripting and execution engine makes it one of the few technologies capable of intercepting in-memory malware execution. Yet, many enterprises disable AMSI due to compatibility concerns or performance hesitations—a dangerous tradeoff in today’s threat landscape.
Why Threat Intelligence Matters
Organizations using Microsoft Defender Threat Intelligence and Sentinel have a significant advantage. The detailed IOC and telemetry correlation offered by Microsoft allow defenders to trace attack chains from the initial access point to post-exploitation stages. Without such tools, many of these attacks would go unnoticed for months.
The Risk of Repetition
The attackers’ success hinges on unpatched systems. Microsoft’s blog clearly states the exploits have been rapidly adopted. That means copycat attackers and ransomware groups are likely to integrate these techniques soon. The longer organizations delay patching, the greater the odds they’ll be next.
Defensive Automation Is Non-Negotiable
Manual monitoring isn’t viable anymore. Defender XDR, Sentinel, and AMSI automation aren’t optional luxuries—they’re now essential to survival. Organizations must integrate these layers into their architecture or accept the risk of compromise.
Prevention over Reaction
Waiting for alerts after compromise is reactive cybersecurity. Applying patches, rotating keys, monitoring IOCs, and isolating vulnerable systems is proactive defense. In this case, defense is significantly cheaper than recovery from a full breach.
🔍 Fact Checker Results:
✅ SharePoint Online is not impacted by these vulnerabilities.
✅ The CVEs mentioned are officially listed and recognized by Microsoft.
✅ Nation-state attribution has been confirmed by Microsoft to involve Chinese threat actors.
📊 Prediction:
The exploitation of CVE-2025-49706 and CVE-2025-49704 is only the beginning of a broader wave of targeted attacks against legacy, on-premises infrastructure. As more threat actors (beyond the initial Chinese groups) gain access to exploit kits and tools, ransomware gangs and cybercriminals will begin leveraging these vulnerabilities for monetary gain. Expect to see lateral movement into connected environments, with web shells acting as persistent footholds for long-term surveillance or eventual data encryption events. Organizations that fail to patch and reconfigure AMSI will likely experience data theft, system lockouts, or worse—complete operational shutdowns.
References:
Reported By: www.microsoft.com
Extra Source Hub:
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2




