Microsoft has disclosed an ongoing wave of cyberattacks targeting on-premises SharePoint servers, attributing the campaign to multiple Chinese nation-state threat actors. The company’s cybersecurity team observed exploitation of newly disclosed spoofing and remote code execution (RCE) vulnerabilities, tracked as CVE-2025-49706 and CVE-2025-49704. These vulnerabilities do not affect SharePoint Online, which is hosted via Microsoft 365.
According to Microsoft’s threat intelligence division, the actors have been actively leveraging these exploits since early July, with increasing frequency in recent days. This activity is part of what Microsoft describes as a broader pattern of Chinese cyber operations aimed at espionage and theft of sensitive information.
Exploitation by Chinese threat groups
Microsoft has specifically named three China-linked actors: Linen Typhoon, Violet Typhoon, and a third group tracked as Storm-2603. These actors are using the SharePoint vulnerabilities to gain initial access to vulnerable, internet-facing SharePoint servers. Once inside, attackers are deploying web shells — particularly variants of spinstall0.aspx — to maintain persistence and steal server machine keys.
Linen Typhoon has reportedly been conducting cyber espionage since 2012, targeting sectors such as defense, government, and human rights. Violet Typhoon has a history of exploiting internet-facing infrastructure across regions, including the United States and East Asia. Storm-2603, while less well-known, has previously been associated with ransomware deployments.
Microsoft’s analysis indicates that exploitation tactics include sending POST requests to specific SharePoint endpoints, deploying encoded PowerShell scripts, and using stolen machine keys to maintain access.
Microsoft issues urgent mitigation guidance
To counter these attacks, Microsoft has released security updates for SharePoint Server Subscription Edition, 2019, and 2016. The company urges immediate patching and recommends rotating ASP.NET machine keys, restarting IIS services, and enabling Antimalware Scan Interface (AMSI) in full mode.
In cases where AMSI cannot be enabled, Microsoft suggests disconnecting affected servers from the internet or restricting access through authenticated gateways.
Microsoft also advises the deployment of Microsoft Defender for Endpoint and Microsoft Sentinel for extended detection and response, as well as hunting queries to detect related activity.
Broader implications and attribution
This disclosure comes amid rising global concerns over the role of Chinese state actors in cyber operations targeting critical infrastructure. While Microsoft has not formally linked Storm-2603 to existing state-backed groups, the tactics used align with broader Chinese cyberespionage strategies.
The company’s response reflects growing pressure on software vendors to act swiftly in disclosing and mitigating zero-day vulnerabilities. The case also underscores the ongoing risks faced by organisations running legacy or unpatched systems, particularly those exposed to the internet.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
