Microsoft (NASDAQ: MSFT) has announced the discovery of active cyberattacks led by Chinese threat actors exploiting critical vulnerabilities in on-premises SharePoint servers, resulting in a series of breaches around the world since early July 2024.
In an official blog post dated July 19, 2024, Microsoft’s Security Response Center explained that attackers are exploiting two critical vulnerabilities: CVE-2025-49706, which allows identity spoofing, and CVE-2025-49704, which enables remote code execution. The company has released security updates for all supported versions of SharePoint Server to patch these flaws.
Microsoft identified three Chinese threat groups behind the attacks: Linen Typhoon, known for stealing intellectual property from government and defense sectors; Violet Typhoon, which targets educational institutions and NGOs; and Storm-2603, previously linked to ransomware campaigns, though its current objectives remain unclear.
The attacks begin with POST requests to the ToolPane endpoint, followed by the deployment of malicious files such as “spinstall0.aspx” to steal machine keys and maintain unauthorized access.
Microsoft has urged customers to immediately apply the security updates, enable AMSI (Antimalware Scan Interface) in full mode, rotate ASP.NET machine keys, restart IIS services, and deploy security solutions like Microsoft Defender for Endpoint.
It is worth noting that these vulnerabilities only affect on-premises SharePoint servers and do not impact SharePoint Online services within Microsoft 365—highlighting the importance of secure cloud-based solutions in an era of growing cyber threats.
