Analysis Summary

A critical security alert has been issued by Microsoft regarding active exploitation of zero-day vulnerabilities CVE-2025-53770 and CVE-2025-53771 in Microsoft SharePoint Server 2016, 2019, and Subscription Edition. These vulnerabilities, exploited since July 7, 2025, allow attackers to deploy malicious web shells and execute remote code. Initial access is gained by chaining two additional flaws, CVE-2025-49706 (spoofing) and CVE-2025-49704 (RCE,) targeting internet-facing SharePoint servers. The attackers use crafted POST requests to the ToolPane endpoint to implant web shells like spinstall0.aspx, which extract ASP.NET MachineKey data crucial for authentication and session hijacking.

The attacks are being attributed to three known Chinese threat actors: Linen Typhoon, Violet Typhoon, and Storm-2603, with the latter taking the campaign further by deploying Warlock ransomware. These actors conduct extensive reconnaissance and post-exploitation tasks using SharePoint’s w3wp.exe process. They disable Microsoft Defender by manipulating registry keys through cmd.exe and services.exe, enabling stealthy execution of follow-on payloads. Storm-2603 establishes persistence using scheduled tasks and by loading suspicious .NET assemblies into Internet Information Services (IIS), thereby allowing sustained access and further payload execution.

Credential harvesting is a critical part of the attack chain. Storm-2603 uses Mimikatz to dump credentials from LSASS memory, aiding in lateral movement through tools like PsExec and the Impacket toolkit. To maintain control over compromised environments, attackers have set up command-and-control infrastructure using domains such as update.updatemicfosoft.com and IPs. The final phase of the operation involves modifying Group Policy Objects (GPOs) to propagate Warlock ransomware throughout the organization’s network, effectively paralyzing operations and demanding ransom payments.

Microsoft has issued urgent mitigation guidance in response to these threats. Organizations are strongly advised to apply the latest security patches, enable the Antimalware Scan Interface (AMSI) in Full Mode for enhanced script monitoring, rotate their SharePoint server ASP.NET MachineKeys to mitigate key theft, and perform a full IIS restart using iisreset.exe. These measures are critical to disrupt active attack chains and prevent future exploitation of SharePoint environments.

Impact

• Sensitive Data Theft
• Remote Code Execution
• Security Bypass

Indicators of Compromise

SHA1

• f5b60a8ead96703080e73a1f79c3e70ff44df271

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Immediately patch SharePoint Server 2016, 2019, and Subscription Edition to fix CVE-2025-53770, CVE-2025-53771, and other related vulnerabilities.
• Enable Antimalware Scan Interface (AMSI) in Full Mode for enhanced script detection and threat visibility.
• Rotate ASP.NET MachineKey values to invalidate any credentials or tokens stolen during the attack.
• Run iisreset.exe to restart Internet Information Services and apply all changes effectively.
• Scan all SharePoint environments for known web shells like spinstall0.aspx and associated SHA-256 hashes.
• Audit scheduled tasks and IIS configuration for unauthorized changes or persistent backdoors.
• Restore and reconfigure Microsoft Defender if it was disabled through registry modifications.
• Monitor outbound network traffic for signs of command-and-control communication, especially with known malicious IPs and domains.
• Isolate compromised systems from the network to prevent lateral movement and ransomware propagation.
• Review and roll back unauthorized modifications to Group Policy Objects (GPOs) to stop ransomware distribution.