Three separate Chinese threat groups are exploiting a set of recently disclosed vulnerabilities in on-premises Microsoft SharePoint installations, and Microsoft and CISA are urging companies that haven’t yet updated their installations to do so as quickly as possible. Microsoft first published information about the two flaws (CVE-2025-53770 and CVE-2025-53771) on July 19 after seeing active […]
Three separate Chinese threat groups are exploiting a set of recently disclosed vulnerabilities in on-premises Microsoft SharePoint installations, and Microsoft and CISA are urging companies that haven’t yet updated their installations to do so as quickly as possible.
Microsoft first published information about the two flaws (CVE-2025-53770 and CVE-2025-53771) on July 19 after seeing active exploitation of two older SharePoint bugs. The newer CVEs are basically bypasses for the original patches, but they allow attackers to gain remote code execution on vulnerable SharePoint servers. Microsoft said that in some instances, one of the Chinese threat actors is deploying the Warlock ransomware after successfully compromising a target SharePoint server.
The threat actors targeting the vulnerabilities include Storm-2603, Linen Typhoon, and Violet Typhoon, all of which are China-aligned attack groups. Storm-2603 specifically has exploited the SharePoint flaws to deliver an initial payload called spinstall0.aspx and then go from there.
“This initial access is used to conduct command execution using the w3wp.exe process that supports SharePoint. Storm-2603 then initiates a series of discovery commands, including whoami, to enumerate user context and validate privilege levels. The use of cmd.exe and batch scripts is also observed as the actor transitions into broader execution phases. Notably, services.exe is abused to disable Microsoft Defender protections through direct registry modifications,” MIcrosoft’s researchers said.
The spinstall0.aspx webshell gives the attackers persistence and then targets user credentials and performs lateral movement using PsExec and the Impacket toolkit.
The exploit chain used in these attacks is known as ToolShell, and researchers at Eye Security, the Dutch company that first observed the SharePoint exploitation, said they have seen more than 400 individual organizations compromised in four discrete waves of attacks. Censys researchers found more than 9,700 SharePoint servers online, though it’s not known how many of those are running vulnerable versions.
Note: Cisco and Duo are no longer affiliated with Decipher. All opinions and content provided here from April 11 are solely that of Decipher and do not reflect opinions or content of Cisco Systems, Inc. or any of its affiliates.
