Microsoft SharePoint Faces Increased Cyber Threats
Microsoft is grappling with serious vulnerabilities in its SharePoint platform, as recent reports indicate that several hacking groups believed to be backed by the Chinese government are actively exploiting these weaknesses. This alarming news underscores ongoing security challenges for organizations relying on Microsoft’s web-based storage services.
Emerging Vulnerabilities
Late last week, Microsoft, along with various global security agencies, raised concerns about a specific vulnerability, designated as CVE-2025-53770. This remote code execution (RCE) flaw is linked to another previously disclosed issue, CVE-2025-49706. Since that initial warning, the situation has escalated; Microsoft has now confirmed a second vulnerability, CVE-2025-53771, which is also under active exploitation.
Detection of Threat Actors
In a blog post dated July 22, Microsoft pointed out that at least two Chinese state-sponsored hacking groups—identified as Linen Typhoon and Violet Typhoon—have been observed targeting internet-facing SharePoint servers using these vulnerabilities. Additionally, another threat actor, referred to as Storm-2603, has been noted for exploiting these same weaknesses. Investigations into further actors utilizing these exploits are currently ongoing.
Techniques Used in Exploitation
The hackers are reportedly employing web shells to extract MachineKey data, thereby gaining complete access to SharePoint data and enabling remote code execution. Microsoft anticipates that the exploitation of unpatched on-premises SharePoint systems will persist, posing ongoing risks to security.
Who Are the Hackers?
Linen Typhoon
According to Microsoft, Linen Typhoon has been active since at least 2012, primarily focused on stealing intellectual property, particularly in government and defense sectors. Their targets often include areas related to human rights and strategic planning.
Violet Typhoon
Active since 2015, Violet Typhoon specializes in espionage operations, targeting former military personnel, government employees, NGOs, higher education institutions, media organizations, and the healthcare sector.
Storm-2603
Storm-2603 is believed to be closely linked to the People’s Republic of China, although ongoing investigations are aimed at clarifying the group’s precise affiliations. Microsoft’s analysis indicates that this actor has previously deployed ransomware types like Warlock and LockBit, yet their current objectives remain uncertain.
Implications of These Vulnerabilities
The existence of these vulnerabilities reveals a significant issue within organizational security practices. Marijus Briedis, Chief Technology Officer at NordVPN, emphasized that treating security updates as optional can result in dire consequences. "The SharePoint vulnerability illustrates what happens when security is neglected," he remarked. "Unauthenticated access to systems compromises full access to SharePoint content, allowing attackers to execute code across networks."
Briedis warns that when a significant institution—be it a corporation, financial institution, or healthcare provider—falls prey to these vulnerabilities, it’s ultimately consumers who suffer. With SharePoint often integrated with other Microsoft services like Outlook and Teams, a breach can quickly escalate into extensive data theft. Financial records, emails, and medical information are interconnected within these platforms, making the stakes incredibly high.
Scope of the Threat
Research indicates that thousands of organizations may be vulnerable to these threats, with reports of at least 100 already compromised. Alarmingly, conventional security measures like the Windows Anti-malware Scan Interface (AMSI) can be circumvented easily. Benjamin Harris, CEO of watchTowr, shared insights from internal tests showing how vulnerabilities tied to CVE-2025-53770 can bypass AMSI, enabling hackers to identify weak systems even after applying mitigations.
"It’s concerning to hear organizations opting to ‘enable AMSI’ rather than patching their systems," Harris stated. "This approach is fundamentally flawed. Linking the exploitation to nation-state actors makes it unrealistic to assume they won’t find a way to bypass AMSI."
Conclusion
With the urgency surrounding these vulnerabilities, organizations must prioritize patching their software and addressing security weaknesses to mitigate risks associated with cyber threats. The ramifications of neglecting these issues can be extensive, impacting not only the organization but also its customers and stakeholders.
