Microsoft has linked ongoing exploits affecting SharePoint Server instances to three Chinese hacker groups: Linen Typhoon, Violet Typhoon, and a third group identified as Storm-2603. This connection was made public following investigations into vulnerabilities first reported on July 7, 2025.
The identified groups have been active in exploiting specific vulnerabilities in SharePoint servers, which enable them to gain unauthorized access to target systems. Microsoft indicated with high confidence that these threat actors would persist in using these vulnerabilities in their attacks on unpatched, on-premises SharePoint systems.
Overview of the Threat Actors
- Linen Typhoon (also known as APT27) has been operated since 2012 and is recognized for its use of malware like SysUpdate and PlugX.
- Violet Typhoon (APT31) has been active since 2015, targeting countries including the US and Czechia.
- Storm-2603 is known to deploy various ransomware types in previous attacks.
The vulnerabilities in question exploit incomplete patches for CVE-2025-49706, a spoofing flaw, and CVE-2025-49704, a remote code execution bug. Exploits for these vulnerabilities have been designated CVE-2025-53771 and CVE-2025-53770.
Recent attacks show that hackers exploit these flaws through a vulnerability in the ToolPane endpoint, resulting in authentication bypasses and remote code execution. They deploy a web shell that facilitates the retrieval of sensitive data, complicating data protection efforts.
Recommended Mitigation Strategies
To defend against these threats, Microsoft recommends:
- Installing the latest updates for SharePoint Server (2016, 2019, and Subscription Edition).
- Rotating ASP.NET machine keys used by your SharePoint servers.
- Restarting Internet Information Services (IIS) to reset any potential backdoors.
- Utilizing Microsoft Defender for Endpoint or equivalent security solutions tailored for on-premises SharePoint systems.
- Implementing and enabling Antimalware Scan Interface (AMSI) paired with reputable antivirus solutions.
Microsoft’s confirmation marks another instance of Chinese state-backed hacking groups targeting US technology firms, highlighting the ongoing risks associated with unresolved vulnerabilities. In previous incidents, such as the infamous Hafnium attack related to Exchange Server, similar patterns of exploitation were observed.
As organizations work to resolve these issues, it’s increasingly important to prioritize security updates and establish robust defenses to safeguard against potential exploits.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.