Rising SharePoint Exploits Linked to Chinese Hacking Groups
As of July 7, 2025, Microsoft has officially connected the exploitation of vulnerabilities in internet-facing SharePoint Server instances to two Chinese hacking groups: Linen Typhoon and Violet Typhoon. This finding supports earlier suspicions regarding the origins of these attacks.
Identifying the Threat Actors
In its recent report, Microsoft also identified a third Chinese-based actor, referred to as Storm-2603, who is utilizing these newly discovered flaws to gain initial access to targeted organizations. Microsoft expressed confidence that these threat actors will continue to exploit unpatched on-premises SharePoint systems.
Who Are Linen Typhoon and Violet Typhoon?
-
Linen Typhoon:
- Also known as APT27, Bronze Union, and several other aliases, this group has been active since 2012. Historically, they have been associated with malware such as SysUpdate, HyperBro, and PlugX.
-
Violet Typhoon:
- Operating since 2015, this group, recognized by names including APT31 and Bronze Vinewood, has previously targeted countries like the United States, Finland, and the Czech Republic.
- Storm-2603:
- This suspected China-based attacker has a history of deploying ransomware variants like Warlock and LockBit.
Vulnerabilities Under Attack
The specific vulnerabilities that are being exploited in these attacks involve on-premises SharePoint servers. These flaws include CVE-2025-49706, a spoofing issue, and CVE-2025-49704, which relates to remote code execution. The methods of exploiting these vulnerabilities have been cataloged as CVE-2025-53771 and CVE-2025-53770, respectively.
Microsoft’s observations reveal that attackers are exploiting SharePoint vulnerabilities through a POST request to the ToolPane endpoint. This exploitation leads to authentication bypass and the potential for remote code execution.
The Infection Chain
During their exploitation, hackers have installed a web shell, known as "spinstall0.aspx" (also referred to as spinstall.aspx, spinstall1.aspx, or spinstall2.aspx). This web shell enables attackers to extract and steal sensitive MachineKey data, significantly heightening risks for affected organizations.
Cybersecurity researcher Rakesh Krishnan detailed a forensic analysis in which three distinct invocations of Microsoft Edge were identified during a SharePoint exploit. These include the Network Utility Process, Crashpad Handler, and GPU Process. According to Krishnan, this reveals a strategic approach aimed at behavioral mimicry and evasion of security measures.
Recommendations for Organizations
To reduce the risk posed by these vulnerabilities, organizations should take immediate actions including:
- Update SharePoint: Apply the latest updates for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016.
- Rotate Keys: Regularly update SharePoint server ASP.NET machine keys.
- Restart IIS: Reboot Internet Information Services to apply changes effectively.
- Implement Endpoint Protection: Deploy Microsoft Defender for Endpoint, or an equivalent solution for robust protection.
Organizations are also encouraged to enable the Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus, configuring AMSI to operate in Full Mode for all on-premises SharePoint deployments.
A Call to Action
Microsoft warns that these exploits present an ongoing threat and that organizations must implement necessary mitigations and security updates swiftly. The current situation is not isolated; it marks a continuation of state-sponsored hacking campaigns against Microsoft. Notably, the Silk Typhoon group (or Hafnium) was previously linked to mass exploitation activities in March 2021, showcasing a persistent risk landscape.
Furthermore, a recent arrest adds another layer to this complex narrative. A 33-year-old Chinese national, Xu Zewei, was captured in Italy for cyber attacks targeting American organizations by leveraging Microsoft Exchange Server flaws known as ProxyLogon.
Organizations that use Microsoft SharePoint must not underestimate the urgency of updating their systems and employing robust cybersecurity practices to thwart potential exploitations by these advanced persistent threat actors.
