Chinese-supported nation-state assailants identified as among the malicious actors aiming attacks on Microsoft's SharePoint platform.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, signaling the urgent need for organizations to address this issue. This vulnerability has been exploited by three Chinese government-backed threat groups: Linen Typhoon, Violet Typhoon, and Storm-2603.
These groups have primarily used the vulnerability for initial access and data theft, including the stealing of sensitive data and machine keys. Microsoft is still investigating exploitation by other threat actors and warns that more hackers will integrate the new vulnerabilities into their attacks on unpatched on-premises SharePoint servers.
Known Tactics
Linen Typhoon
Active since 2012, Linen Typhoon has been observed exploiting internet-facing servers to steal intellectual property. They have a history of leveraging zero-day and known exploits for initial access and persistence. Targets include government, defense industries, and strategic planning organizations. They employ web shells and malware families like SysUpdate, HyperBro, and PlugX for lateral movement and data theft.
Violet Typhoon
Active since 2015, Violet Typhoon scans exposed web infrastructure for vulnerabilities, then uses web shells to gain persistent access. The group targets a broader range of sectors, including government and military officials, NGOs, higher education, digital and print media, financial firms, and healthcare organizations across the U.S., Europe, and East Asia.
Storm-2603
Storm-2603 has focused on exploiting the SharePoint vulnerability to steal machine cryptographic keys, which are critical for authentication and system security. This group has previously deployed ransomware families like Warlock and LockBit but their current goals with this exploitation remain less clear. The theft of cryptographic keys suggests aiming for long-term access and further compromise or ransomware deployment.
Common Techniques Observed
Attackers have been sending specially crafted POST requests to the SharePoint ToolPane endpoint, allowing them to bypass authentication. They have also been uploading malicious scripts such as spinstall0.aspx to steal machine keys and renaming malicious scripts slightly to evade detection. Persistent use of web shells to maintain access and targeting internet-facing on-premises SharePoint servers that are unpatched or inadequately secured are common techniques observed.
Known Targets
| Threat Group | Known Targets | |----------------|--------------------------------------------------------------------------------------------------| | Linen Typhoon | Government bodies, defense industries, strategic planning organizations | | Violet Typhoon | Government and military officials, NGOs, higher education, media, financial firms, healthcare | | Storm-2603 | Organizations with vulnerable SharePoint servers; previously associated with ransomware campaigns |
Additional Context
These attacks began at least as early as July 7, 2025, and Microsoft expects continued exploitation by these and other threat actors on unpatched SharePoint systems. The attack campaign likely signals a prolonged and evolving effort to leverage SharePoint vulnerabilities for espionage, data theft, and ransomware deployment.
Microsoft and security researchers have provided mitigations and detection tools to defend against these exploits but note the urgency of patching affected SharePoint servers to prevent compromise. The article discusses the evolving role of CISOs, focusing on their need to better understand the risk calculus of their technology stacks in light of the ongoing SharePoint vulnerability exploitation. The attacks have compromised dozens of organizations worldwide, including several governments and companies in various industries. Rapid7 has observed active exploitation of the SharePoint vulnerabilities in customer environments.
Read also:
- Enhanced Privacy Technologies in Data Transmission and Internet Infrastructure
- Trump commends the impressive narrative of the intelligence chief
- Commvault Acquires Satori Cyber to Enhance Data Security Capabilities
- Modifier frantically installs self-made copper cooling system onto GTX 1060 graphics card, surpasses record overclocking speeds in the 12600KF category - card reaches 2,202 MHz, attains leading positions in Fire Strike rankings with top six scores.
