{"id":351492,"date":"2025-07-22T11:55:54","date_gmt":"2025-07-22T18:55:54","guid":{"rendered":"https:\/\/msftnewsnow.com\/?p=351492"},"modified":"2025-07-25T12:47:13","modified_gmt":"2025-07-25T16:47:13","slug":"chinese-hackers-exploit-sharepoint-vulnerabilities","status":"publish","type":"post","link":"https:\/\/msftnewsnow.com\/chinese-hackers-exploit-sharepoint-vulnerabilities\/","title":{"rendered":"Microsoft Says Chinese State Actors Exploit New SharePoint Vulnerabilities: CVE-2025-53770, CVE-2025-49704, CVE-2025-49706, and CVE-2025-53771, Immediate Security Updates Required"},"content":{"rendered":"<div class=\"relative\">\n<div class=\"prose text-pretty dark:prose-invert inline leading-normal break-words min-w-0 [word-break:break-word]\">\n<p class=\"my-0\">Microsoft has sounded the alarm after discovering ongoing, active exploitation of multiple critical SharePoint vulnerabilities in <strong>on-premises SharePoint Server deployments<\/strong>. The <a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\" target=\"_blank\" rel=\"noopener\">Microsoft Security Response Center (MSRC) blog<\/a> published on July 19, 2025, reveals that Chinese nation-state actors, including Linen Typhoon, Violet Typhoon, and Storm-2603, are targeting CVE-2025-53770, CVE-2025-49704, CVE-2025-49706, and CVE-2025-53771 to compromise unpatched SharePoint servers exposed to the internet.<\/p>\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\"><strong>What\u2019s at Stake?<\/strong><\/h2>\n<p><a href=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/SharePoint-vulnerabilities-809x455-1.webp?strip=all&lossy=1&quality=88&sharp=1&w=2560&ssl=1\"><img decoding=\"async\" data-attachment-id=\"351526\" data-permalink=\"https:\/\/msftnewsnow.com\/chinese-hackers-exploit-sharepoint-vulnerabilities\/sharepoint-vulnerabilities-809x455\/#main\" data-orig-file=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/SharePoint-vulnerabilities-809x455-1.webp?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" data-orig-size=\"809,455\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"SharePoint-vulnerabilities-809&#215;455\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/SharePoint-vulnerabilities-809x455-1.webp?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" data-large-file=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/SharePoint-vulnerabilities-809x455-1.webp?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" class=\"alignnone size-full wp-image-351526\" src=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/SharePoint-vulnerabilities-809x455-1.webp?strip=all&lossy=1&quality=88&sharp=1&ssl=1\" alt=\"Chinese State Actors Exploit New SharePoint Vulnerabilities: CVE-2025-53770, CVE-2025-49704, CVE-2025-49706, and CVE-2025-53771, Microsoft Urges Immediate Security Updates\" width=\"809\" height=\"455\" srcset=\"https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/SharePoint-vulnerabilities-809x455-1.webp?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;ssl=1 809w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/SharePoint-vulnerabilities-809x455-1-150x84.webp?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;ssl=1 150w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/SharePoint-vulnerabilities-809x455-1.webp?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;w=323&amp;ssl=1 323w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/SharePoint-vulnerabilities-809x455-1.webp?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;w=485&amp;ssl=1 485w, https:\/\/e7drz69p964.exactdn.com\/wp-content\/uploads\/2025\/07\/SharePoint-vulnerabilities-809x455-1.webp?strip=all&amp;lossy=1&amp;quality=88&amp;sharp=1&amp;w=647&amp;ssl=1 647w\" sizes=\"(max-width: 809px) 100vw, 809px\" \/><\/a><\/p>\n<p class=\"my-0\">These critical flaws affect <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/\" target=\"_blank\" rel=\"noopener\">on-premises Microsoft SharePoint Servers, including Subscription Edition, 2019, and 2016 versions<\/a>\u2014but crucially <strong>do not impact SharePoint Online<\/strong> in Microsoft 365. They enable attackers to bypass authentication, gain remote code execution, and deploy persistent backdoors, threatening highly sensitive business data and organizational security.<\/p>\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\"><strong>SharePoint Vulnerabilities Under Active Attack<\/strong><\/h2>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\"><strong><a href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\" target=\"_blank\" rel=\"noopener\">CVE-2025-53770<\/a>:<\/strong> Authentication bypass and remote code execution (RCE) <a href=\"https:\/\/msftnewsnow.com\/microsoft-sharepoint-zero-day-attack-toolshell\/\" target=\"_blank\" rel=\"noopener\">via the SharePoint ToolShell endpoint<\/a>.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>CVE-2025-49706:<\/strong> Previously disclosed post-auth RCE, now exploited in new attack chains.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>CVE-2025-49704:<\/strong> RCE, actively paired with the above by nation-state actors.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-53771\" target=\"_blank\" rel=\"noopener\">CVE-2025-53771<\/a>:<\/strong> Path traversal security bypass connected to <a href=\"https:\/\/msftnewsnow.com\/microsoft-sharepoint-zero-day-attack-toolshell\/\" target=\"_blank\" rel=\"noopener\">ToolShell exploits<\/a>.<\/p>\n<\/li>\n<\/ul>\n<p class=\"my-0\">Microsoft security teams <strong>strongly advise<\/strong> all SharePoint Server customers to install the latest security updates for their respective versions immediately:<\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\"><a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=108285\" target=\"_blank\" rel=\"nofollow noopener\">KB5002768 \u2013 SharePoint Server Subscription Edition<\/a><\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>SharePoint Server 2019:<\/strong><\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\"><a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=108286\" target=\"_blank\" rel=\"noopener\">KB5002754 \u2013 Core Security Update<\/a><\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=108287\" target=\"_blank\" rel=\"noopener\">KB5002753 \u2013 Language Pack Update<\/a><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>SharePoint Server 2016:<\/strong><\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\"><a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=108288\" target=\"_blank\" rel=\"noopener\">KB5002760 \u2013 Core Security Update<\/a><\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=108289\" target=\"_blank\" rel=\"noopener\">KB5002759 \u2013 Language Pack Update<\/a><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\"><strong>How Are Hackers Exploiting These Vulnerabilities?<\/strong><\/h2>\n<p class=\"my-0\">Microsoft observed hackers conducting reconnaissance and exploitation through POST requests to the vulnerable SharePoint \u201cToolPane\u201d endpoint. After bypassing authentication and achieving RCE, threat actors deploy a malicious <strong>web shell<\/strong> (commonly named <code>spinstall0.aspx<\/code> or variants like <code>spinstall1.aspx<\/code>). This web shell allows attackers to automate further attacks, steal sensitive ASP.NET MachineKey data, and persist access.<\/p>\n<p class=\"my-0\"><strong>Technical Indicators of Compromise:<\/strong><\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\"><strong>Files:<\/strong> <code>spinstall0.aspx<\/code>, <code>spinstall1.aspx<\/code>, etc.; <code>debug_dev.js<\/code><\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Hashes &amp; URLs:<\/strong> SHA-256 example: <code>92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514<\/code>; <code>c34718cbb4c6.ngrok-free[.]app\/file.ps1<\/code><\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Command and Control IPs:<\/strong> <code>131.226.2.6<\/code>, <code>134.199.202.205<\/code>, <code>104.238.159.149<\/code>, <code>188.130.206.168<\/code><\/p>\n<\/li>\n<\/ul>\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\"><strong>Confirmed Chinese Threat Actors and Their Tactics<\/strong><\/h2>\n<ol>\n<li class=\"my-0\"><strong>Linen Typhoon<\/strong> (active since 2012): Targets government, defense, and human rights organizations, typically using drive-by exploits and web shells to steal intellectual property.<\/li>\n<li class=\"my-0\"><strong>Violet Typhoon<\/strong> (active since 2015): Focuses on espionage targeting NGOs, media, financial, and health sectors. Persistent vulnerability scanning and web shell deployment after initial access are its hallmarks.<\/li>\n<li class=\"my-0\"><strong>Storm-2603:<\/strong> A newer, still-unattributed Chinese threat group, previously linked to Warlock and Lockbit ransomware. Leveraging these SharePoint vulnerabilities, Storm-2603 prioritizes theft of MachineKey data, granting broad access to enterprise server communications and stored credentials.<\/li>\n<\/ol>\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\"><strong>Defense &amp; Mitigation Steps<\/strong><\/h2>\n<p class=\"my-0\">Microsoft recommends the following for maximum protection:<\/p>\n<ol class=\"marker:text-textOff list-decimal\">\n<li>\n<p class=\"my-0\"><strong>Patch Immediately:<\/strong><\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\">Use the official MSRC links above to download and apply security updates for all supported, on-premises SharePoint Server installations (2016, 2019, Subscription Edition).<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Enable and Configure Antimalware Scan Interface (AMSI):<\/strong><\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\">Make sure <a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/learn.microsoft.com\/windows\/win32\/amsi\/antimalware-scan-interface-portal\" target=\"_blank\" rel=\"noopener\">AMSI<\/a> is enabled and running in <a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/learn.microsoft.com\/en-us\/sharepoint\/security-for-sharepoint-server\/configure-amsi-integration#configure-amsi-via-user-interface\" target=\"_blank\" rel=\"noopener\">Full Mode<\/a> for all servers.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\">If you cannot use AMSI, disconnect the server from the internet or protect it with authenticated VPN\/proxy services.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Deploy Microsoft Defender Antivirus\/Defender for Endpoint:<\/strong><\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\">Ensure <a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/microsoft-defender-antivirus-on-windows-server\" target=\"_blank\" rel=\"noopener\">Microsoft Defender Antivirus<\/a> is running. Defender for Endpoint can detect, block, and investigate malicious post-exploit activity.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p class=\"my-0\"><strong>Rotate ASP.NET Machine Keys and Restart IIS:<\/strong><\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\">After patching, use the <a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/learn.microsoft.com\/sharepoint\/security-for-sharepoint-server\/improved-asp-net-view-state-security-key-management\" target=\"_blank\" rel=\"noopener\">Set-SPMachineKey cmdlet<\/a> (or Central Admin job) to rotate crypto keys and complete the process with an IIS reset.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p class=\"my-0\"><strong>Further:<\/strong><\/p>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\">Regularly review your server and application logs for POST requests to ToolPane and the creation or access of suspicious ASPX files.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\">Hunt for the provided indicators using <a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/security-copilot-in-microsoft-365-defender\" target=\"_blank\" rel=\"noopener\">Defender XDR<\/a>, Sentinel, or your SIEM solution.<\/p>\n<\/li>\n<li>\n<p class=\"my-0\">Refer to <a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/attack.mitre.org\/\" target=\"_blank\" rel=\"noopener\">Microsoft\u2019s MITRE ATT&amp;CK mapping<\/a> for updated detection of relevant tactics, including exploitation of public-facing applications, web shell persistence, and PowerShell execution.<\/p>\n<\/li>\n<\/ul>\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\"><strong>SharePoint Online Not Affected<\/strong><\/h2>\n<p class=\"my-0\">This campaign currently <strong>does NOT impact SharePoint Online<\/strong> or Microsoft 365 customers, reinforcing the security advantage of moving critical workloads to the cloud where zero-day patches and proactive defense are quicker and centrally managed.<\/p>\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\"><strong>Why This Matters<\/strong><\/h2>\n<p class=\"my-0\">Microsoft assess with high confidence that threat actors will rapidly incorporate these exploits into broad attack campaigns against all unpatched, internet-facing SharePoint servers. Delaying patch application puts organizations at urgent risk\u2014especially as proof-of-concept exploit code is now public and threat actor activity is accelerating.<\/p>\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\"><strong>Resources and Help<\/strong><\/h2>\n<ul class=\"marker:text-textOff list-disc\">\n<li>\n<p class=\"my-0\"><a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\" target=\"_blank\" rel=\"noopener\">Microsoft\u2019s Official Security Blog on the Exploitation<\/a><\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/\" target=\"_blank\" rel=\"noopener\">Active Exploitation Disruption Overview<\/a><\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-53770\" target=\"_blank\" rel=\"noopener\">MSRC CVE-2025-53770 Guidance<\/a><\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/#indicators-of-compromise\" target=\"_blank\" rel=\"noopener\">Indicators of Compromise &amp; Threat Hunting Queries<\/a><\/p>\n<\/li>\n<li>\n<p class=\"my-0\"><a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-sentinel-blog\/web-shell-threat-hunting-with-azure-sentinel\/ba-p\/2234968\" target=\"_blank\" rel=\"noopener\">Web Shell Threat Hunting with Sentinel<\/a><\/p>\n<\/li>\n<\/ul>\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Product<\/strong><\/td>\n<td><strong>Security update link<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Microsoft SharePoint Server Subscription Edition<\/td>\n<td><a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=108285\" target=\"_blank\" rel=\"noopener\">Download Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768) from Official Microsoft Download Center<\/a><\/td>\n<\/tr>\n<tr>\n<td>Microsoft SharePoint Server 2019\u00a0<em>(both updates should be installed)<\/em><\/td>\n<td><a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=108286\" target=\"_blank\" rel=\"noopener\">Download Security Update for Microsoft SharePoint 2019 (KB5002754) from Official Microsoft Download Center<\/a><\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=108287\" target=\"_blank\" rel=\"noopener\">Security Update for Microsoft SharePoint Server 2019 Language Pack (KB5002753)<\/a><\/td>\n<\/tr>\n<tr>\n<td>Microsoft SharePoint Server 2016\u00a0<em>(both updates should be installed)<\/em><\/td>\n<td><a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=108288\" target=\"_blank\" rel=\"noopener\">Security Update for Microsoft SharePoint Enterprise Server 2016 (KB5002760)<\/a><\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=108289\" target=\"_blank\" rel=\"noopener\">Security Update for Microsoft SharePoint Enterprise Server 2016 Language Pack (KB5002759)<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 class=\"mb-xs mt-5 text-base font-[500] first:mt-0 dark:font-[475]\"><strong>Stay Updated On Any Other SharePoint Vulnerabilities<\/strong><\/h2>\n<p class=\"my-0\">For ongoing information, monitor official Microsoft Threat Intelligence <a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\" target=\"_blank\" rel=\"noopener\">LinkedIn<\/a>, <a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/x.com\/MsftSecIntel\" target=\"_blank\" rel=\"noopener\">X (formerly Twitter)<\/a>, and <a class=\"break-word hover:text-super hover:decoration-super underline decoration-from-font underline-offset-1 transition-all duration-300\" href=\"https:\/\/msftnewsnow.com\/\" target=\"_blank\" rel=\"nofollow noopener\">msftnewsnow.com<\/a> for future coverage and expert analysis\u2014<a href=\"https:\/\/msftnewsnow.com\/microsoft-sharepoint-zero-day-attack-toolshell\/\" target=\"_blank\" rel=\"noopener\">including past reports on SharePoint security incidents<\/a> and how Microsoft\u2019s best practices can minimize risk in hybrid cloud environments.<\/p>\n<p class=\"my-0\"><strong>If your organization relies on on-premises SharePoint: patch immediately, audit for signs of compromise, and improve monitoring of suspicious activity. The window for a safe response is closing fast.<\/strong><\/p>\n<p class=\"my-0\"><em>Reporting by <a href=\"https:\/\/msftnewsnow.com\/\" target=\"_blank\" rel=\"noopener\">msftnewsnow.com<\/a>. For continuing Microsoft security news, updates, and guides, follow us on the regular.<\/em><\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft has sounded the alarm after discovering ongoing, active exploitation of multiple critical SharePoint vulnerabilities in on-premises SharePoint Server deployments. The Microsoft Security Response Center (MSRC) blog published on July 19, 2025, reveals that Chinese nation-state actors, including Linen Typhoon, Violet Typhoon, and Storm-2603, are targeting CVE-2025-53770, CVE-2025-49704, CVE-2025-49706, and CVE-2025-53771 to compromise unpatched SharePoint &#8230; <a title=\"Microsoft Says Chinese State Actors Exploit New SharePoint Vulnerabilities: CVE-2025-53770, CVE-2025-49704, CVE-2025-49706, and CVE-2025-53771, Immediate Security Updates Required\" class=\"read-more\" href=\"https:\/\/msftnewsnow.com\/chinese-hackers-exploit-sharepoint-vulnerabilities\/\" aria-label=\"Read more about Microsoft Says Chinese State Actors Exploit New SharePoint Vulnerabilities: CVE-2025-53770, CVE-2025-49704, CVE-2025-49706, and CVE-2025-53771, Immediate Security Updates Required\">Read more<\/a><\/p>\n","protected":false},"author":208461344,"featured_media":20123,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"enabled":false},"version":2}},"categories":[24,2448],"tags":[1348,40,829,475,778,668,1133,2181,1340,1083,1188,1530,275],"class_list":["post-351492","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-microsoft-365-and-office","tag-authentication","tag-azure","tag-copilot","tag-linkedin","tag-microsoft","tag-microsoft-365","tag-microsoft-defender","tag-microsoft-security","tag-powershell","tag-security","tag-sharepoint","tag-twitter","tag-windows"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/msftnewsnow.com\/wp-content\/uploads\/2024\/07\/png-transparent-microsoft-sharepoint-server-microsoft-project-web-part-document-share-blue-text-trademark.png","jetpack_shortlink":"https:\/\/wp.me\/pfgCZY-1tre","jetpack-related-posts":[{"id":352714,"url":"https:\/\/msftnewsnow.com\/sharepoint-zero-day-attacks-surge-over-400-orgshit\/","url_meta":{"origin":351492,"position":0},"title":"SharePoint Zero-Day Attacks Surge: Over 400 Organizations Breached Amid Critical Microsoft Vulnerabilities","author":"Dave W. Shanahan","date":"July 24, 2025","format":false,"excerpt":"A wave of cyberattacks linked to Chinese-backed threat actors is sweeping across global enterprises, exploiting multiple zero-day vulnerabilities in Microsoft SharePoint. These coordinated attacks\u2014leveraging CVE-2025-49704, CVE-2025-49706, and newly identified patch bypasses CVE-2025-53770 and CVE-2025-53771\u2014are fueling both ransomware outbreaks and strategic espionage campaigns. At least 400 organizations have been breached as\u2026","rel":"","context":"In &quot;News&quot;","block_context":{"text":"News","link":"https:\/\/msftnewsnow.com\/news\/"},"img":{"alt_text":"SharePoint Zero-Day Attacks Surge: Over 400 Organizations Breached Amid Critical Microsoft Vulnerabilities","src":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/image.jpeg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/image.jpeg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/image.jpeg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/image.jpeg?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":351573,"url":"https:\/\/msftnewsnow.com\/microsoft-sharepoint-zero-day-hacks-us-nuclear-set\/","url_meta":{"origin":351492,"position":1},"title":"Microsoft SharePoint Zero-Day Exploit Exposes U.S. National Nuclear Security Administration (NNSA)","author":"Dave W. Shanahan","date":"July 23, 2025","format":false,"excerpt":"A severe zero-day vulnerability in Microsoft SharePoint Server has triggered a cybersecurity crisis, culminating in breaches of over 50 organizations, including the U.S. National Nuclear Security Administration (NNSA) \u2014 the agency responsible for America\u2019s nuclear arsenal security. As reported by Bloomberg, Microsoft and federal authorities confirm that the exploit has\u2026","rel":"","context":"In &quot;News&quot;","block_context":{"text":"News","link":"https:\/\/msftnewsnow.com\/news\/"},"img":{"alt_text":"Microsoft SharePoint Zero-Day Exploit Exposes U.S. National Nuclear Security Administration (NNSA)","src":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/download.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/download.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/download.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/download.jpg?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":350079,"url":"https:\/\/msftnewsnow.com\/july-2025-microsoft-patch-tuesday-vulnerabilities\/","url_meta":{"origin":351492,"position":2},"title":"July 2025 Microsoft Patch Tuesday: 137 Vulnerabilities Fixed, One Zero-Day in SQL Server, Critical Office and AMD Flaws","author":"Dave W. Shanahan","date":"July 8, 2025","format":false,"excerpt":"Microsoft has released its July 2025 Patch Tuesday security updates, addressing a sweeping total of 137 vulnerabilities across its product portfolio. This month\u2019s Microsoft Patch Tuesday cycle is headlined by a publicly disclosed zero-day vulnerability in Microsoft SQL Server, alongside a host of critical flaws in Microsoft Office, SharePoint, and\u2026","rel":"","context":"In &quot;News&quot;","block_context":{"text":"News","link":"https:\/\/msftnewsnow.com\/news\/"},"img":{"alt_text":"July 2025 Microsoft Patch Tuesday: 137 Vulnerabilities Fixed, One Zero-Day in SQL Server, Critical Office and AMD Flaws","src":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/avdd8ckrtwd25gzo2tnu-scaled.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/avdd8ckrtwd25gzo2tnu-scaled.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/avdd8ckrtwd25gzo2tnu-scaled.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/avdd8ckrtwd25gzo2tnu-scaled.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/avdd8ckrtwd25gzo2tnu-scaled.jpg?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":351371,"url":"https:\/\/msftnewsnow.com\/microsoft-sharepoint-zero-day-attack-toolshell\/","url_meta":{"origin":351492,"position":3},"title":"Critical Microsoft SharePoint Zero-Day Attack CVE-2025-53770 Exposes On-Premises Servers, Emergency Guidance Issued","author":"Dave W. Shanahan","date":"July 20, 2025","format":false,"excerpt":"Microsoft has confirmed a major zero-day vulnerability is being actively exploited in on-premises SharePoint Server, with no patch currently available for most affected versions. Dubbed CVE-2025-53770\u2014nicknamed \u201cToolShell\u201d by researchers\u2014the Microsoft SharePoint flaw enables unauthenticated attackers to take full control of targeted SharePoint servers. As of July 20, 2025, the attacks\u2026","rel":"","context":"In &quot;News&quot;","block_context":{"text":"News","link":"https:\/\/msftnewsnow.com\/news\/"},"img":{"alt_text":"Critical Microsoft SharePoint Zero-Day Attack Exposes On-Premises Servers: Emergency Guidance Issued","src":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/24e12846-443b-4210-a446-e47d0e59ecba-scaled.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/24e12846-443b-4210-a446-e47d0e59ecba-scaled.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/24e12846-443b-4210-a446-e47d0e59ecba-scaled.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/24e12846-443b-4210-a446-e47d0e59ecba-scaled.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/07\/24e12846-443b-4210-a446-e47d0e59ecba-scaled.jpg?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":341923,"url":"https:\/\/msftnewsnow.com\/microsofts-may-2025-patch-tuesday-five-zero-days\/","url_meta":{"origin":351492,"position":4},"title":"Microsoft\u2019s May 2025 Patch Tuesday: Five New Zero-Days Exploited, 72 Flaws Patched: What You Need to Know","author":"Dave W. Shanahan","date":"May 14, 2025","format":false,"excerpt":"Yesterday, Microsoft released its latest Patch Tuesday security updates, addressing a total of 72 vulnerabilities across its product portfolio-including Windows, Office, Azure, and more. This month\u2019s update is especially urgent, as it patches five zero-day vulnerabilities already being exploited in the wild and two additional flaws that were publicly disclosed\u2026","rel":"","context":"In &quot;News&quot;","block_context":{"text":"News","link":"https:\/\/msftnewsnow.com\/news\/"},"img":{"alt_text":"Microsoft\u2019s May 2025 Patch Tuesday: Five New Zero-Days Exploited, 72 Flaws Patched: What You Need to Know","src":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/05\/download-10.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/05\/download-10.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/05\/download-10.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/05\/download-10.jpg?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":347001,"url":"https:\/\/msftnewsnow.com\/microsoft-patch-tuesday-june-2025-65-security-fix\/","url_meta":{"origin":351492,"position":5},"title":"Microsoft Patch Tuesday June 2025: 65+ Security Vulnerabilities Patched, Zero-Day Exploit Fixed","author":"Dave W. Shanahan","date":"June 11, 2025","format":false,"excerpt":"Microsoft\u2019s June 2025 Patch Tuesday has arrived, delivering urgent security fixes for a broad range of its products. The company addressed more than 65 vulnerabilities, including a zero-day exploit that was being actively used in cyber espionage campaigns. This month\u2019s updates are critical for both enterprise and individual users, reinforcing\u2026","rel":"","context":"In &quot;News&quot;","block_context":{"text":"News","link":"https:\/\/msftnewsnow.com\/news\/"},"img":{"alt_text":"Microsoft Patch Tuesday June 2025: 65+ Security Vulnerabilities Patched, Zero-Day Exploit Fixed","src":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/06\/xelmjbjubehnaogdqaxe-scaled.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/06\/xelmjbjubehnaogdqaxe-scaled.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/06\/xelmjbjubehnaogdqaxe-scaled.jpg?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/06\/xelmjbjubehnaogdqaxe-scaled.jpg?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/msftnewsnow.com\/wp-content\/uploads\/2025\/06\/xelmjbjubehnaogdqaxe-scaled.jpg?resize=1050%2C600&ssl=1 3x"},"classes":[]}],"jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/posts\/351492","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/users\/208461344"}],"replies":[{"embeddable":true,"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/comments?post=351492"}],"version-history":[{"count":0,"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/posts\/351492\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/media\/20123"}],"wp:attachment":[{"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/media?parent=351492"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/categories?post=351492"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/msftnewsnow.com\/wp-json\/wp\/v2\/tags?post=351492"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}