Microsoft Warns Of Active Exploits Targeting SharePoint Vulnerabilities
Microsoft Corp (NASDAQ:MSFT) has issued a critical warning regarding ongoing attacks on on-premises SharePoint servers, urging organizations to apply newly released security updates immediately.
The alert, published July 19 by the Microsoft Security Response Center, highlights active exploitation of two key vulnerabilities—a spoofing flaw and a remote code execution flaw—by state-linked threat actors.
These vulnerabilities do not impact SharePoint Online hosted on Microsoft 365.
The new updates cover supported versions of SharePoint Server, including Subscription Edition, 2019, and 2016.
Microsoft emphasized that the patches also address additional related flaws—CVE-2025-53770 and a bypass vulnerability CVE-2025-53771—providing a more comprehensive security fix.
Microsoft attributed the exploitation campaigns to three China-based threat actors: Linen Typhoon, Violet Typhoon, and Storm-2603.
According to the company, these groups have been actively targeting internet-facing SharePoint servers since at least July 7.
The attacks observed involve sending a specially crafted POST request to the SharePoint server’s ToolPane endpoint, allowing threat actors to upload malicious ASP.NET scripts—often named variations of "spinstall0.aspx."
These scripts enable the extraction of MachineKey data through GET requests, which supports deeper compromise of the target systems. Microsoft has published indicators of compromise (IOCs) and threat-hunting queries to assist defenders in identifying such activities.
Linen Typhoon, active since 2012, has previously targeted government and defense sectors for intellectual property theft. Violet Typhoon, active since 2015, focuses on espionage involving NGOs, media, and educational institutions. Storm-2603, a separate Chinese actor, has previously been linked to ransomware deployment, although its current motives remain unclear.
Microsoft continues to monitor the situation and urges administrators to respond quickly. It warns that delayed patching could leave systems vulnerable to expanding campaigns.
A security update released by Microsoft this month did not completely fix a serious flaw in its SharePoint server software, according to a timeline seen by Reuters. This left systems vulnerable to a major global cyber spying campaign.
On Tuesday, a Microsoft spokesperson admitted the original patch—based on a flaw discovered during a hacker competition in May—was ineffective.
However, the company said it has since released additional updates that fully address the problem.
It's still unknown who carried out the spying, which affected around 100 organizations.
The security flaw used in the attack was first discovered in May during a hacking competition in Berlin hosted by cybersecurity company Trend Micro. The event offered cash rewards for finding bugs in widely used software.
At the competition, a researcher from Viettel—a telecom company owned by Vietnam's military—found a bug in Microsoft SharePoint. He called it “ToolShell” and showed how it could be used to launch an attack.
Price Action: MSFT stock is down 0.64% at $502.05 at the last check on Wednesday.
Read Next:
Photo: Shutterstock
© 2025 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Posted-In: Expert Ideas Stories That MatterLarge Cap News Tech General
