Chinese-supported nation-state assailants identified as among the malicious actors aiming attacks on Microsoft's SharePoint platform.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, signaling the urgent need for organizations to address this issue. This vulnerability has been exploited by three Chinese government-backed threat groups: Linen Typhoon, Violet Typhoon, and Storm-2603.
These groups have primarily used the vulnerability for initial access and data theft, including the stealing of sensitive data and machine keys. Microsoft is still investigating exploitation by other threat actors and warns that more hackers will integrate the new vulnerabilities into their attacks on unpatched on-premises SharePoint servers.
Known Tactics
Linen Typhoon
Active since 2012, Linen Typhoon has been observed exploiting internet-facing servers to steal intellectual property. They have a history of leveraging zero-day and known exploits for initial access and persistence. Targets include government, defense industries, and strategic planning organizations. They employ web shells and malware families like SysUpdate, HyperBro, and PlugX for lateral movement and data theft.
Violet Typhoon
Active since 2015, Violet Typhoon scans exposed web infrastructure for vulnerabilities, then uses web shells to gain persistent access. The group targets a broader range of sectors, including government and military officials, NGOs, higher education, digital and print media, financial firms, and healthcare organizations across the U.S., Europe, and East Asia.
Storm-2603
Storm-2603 has focused on exploiting the SharePoint vulnerability to steal machine cryptographic keys, which are critical for authentication and system security. This group has previously deployed ransomware families like Warlock and LockBit but their current goals with this exploitation remain less clear. The theft of cryptographic keys suggests aiming for long-term access and further compromise or ransomware deployment.
Common Techniques Observed
Attackers have been sending specially crafted POST requests to the SharePoint ToolPane endpoint, allowing them to bypass authentication. They have also been uploading malicious scripts such as spinstall0.aspx to steal machine keys and renaming malicious scripts slightly to evade detection. Persistent use of web shells to maintain access and targeting internet-facing on-premises SharePoint servers that are unpatched or inadequately secured are common techniques observed.
Known Targets
| Threat Group | Known Targets | |----------------|--------------------------------------------------------------------------------------------------| | Linen Typhoon | Government bodies, defense industries, strategic planning organizations | | Violet Typhoon | Government and military officials, NGOs, higher education, media, financial firms, healthcare | | Storm-2603 | Organizations with vulnerable SharePoint servers; previously associated with ransomware campaigns |
Additional Context
These attacks began at least as early as July 7, 2025, and Microsoft expects continued exploitation by these and other threat actors on unpatched SharePoint systems. The attack campaign likely signals a prolonged and evolving effort to leverage SharePoint vulnerabilities for espionage, data theft, and ransomware deployment.
Microsoft and security researchers have provided mitigations and detection tools to defend against these exploits but note the urgency of patching affected SharePoint servers to prevent compromise. The article discusses the evolving role of CISOs, focusing on their need to better understand the risk calculus of their technology stacks in light of the ongoing SharePoint vulnerability exploitation. The attacks have compromised dozens of organizations worldwide, including several governments and companies in various industries. Rapid7 has observed active exploitation of the SharePoint vulnerabilities in customer environments.
- The CISA's addition of CVE-2025-53770 to its Known Exploited Vulnerabilities catalog underscores the need for organizations to address this issue due to its exploitation by known threat groups like Linen Typhoon, Violet Typhoon, and Storm-2603.
- Microsoft warns that other threat actors might also integrate the new SharePoint vulnerability into their cyber attacks, emphasizing the importance of patching affected on-premises SharePoint servers.
- The article in the general-news discusses the evolving role of Chief Information Security Officers (CISOs), stressing the need for them to better understand the risk calculus of their technology stacks, as these ongoing SharePoint vulnerability exploitations highlight the potential for espionage, data theft, and ransomware deployment.
