Blog

  2. Home
  3. Blog
  4. Others
  5. Chinese Hackers Exploit SharePoint Vulnerabilities: Are You Already Compromised?
23 July 2025

Chinese Hackers Exploit SharePoint Vulnerabilities: Are You Already Compromised?

Chinese Hackers Exploit SharePoint Vulnerabilities: Are You Already Compromised?

A Wake-Up Call for Enterprises Still Using On-Prem SharePoint

In July 2025, Microsoft released a chilling advisory: three Chinese nation-state hacking groups—Linen Typhoon (APT27), Violet Typhoon (APT31), and the more recently observed Storm-2603—are actively exploiting two critical SharePoint vulnerabilities (CVE-2025-49706 & CVE-2025-49704). These exploits allow attackers to bypass authentication, drop stealthy web shells, and embed themselves deep within enterprise networks.

The result? A staggering 200% increase in cyberattacks targeting SharePoint environments over the past 30 days alone.

This isn't just a cautionary tale—it's a real and growing threat, and your organization may already be in its crosshairs.

Why SharePoint? Why Now?

Despite the cloud revolution, nearly 60% of global enterprises still rely on on-premises versions of Microsoft SharePoint—especially government agencies, financial institutions, and manufacturing sectors that manage sensitive data and complex workflows. This legacy infrastructure, when left unpatched, becomes a low-hanging fruit for advanced persistent threat (APT) groups.

APT27 and APT31 are not amateurs. These actors have conducted cyber-espionage campaigns against defense contractors, diplomatic targets, and critical infrastructure for over a decade. And now, they're setting their sights on exploiting vulnerable SharePoint environments to exfiltrate sensitive documents, install ransomware, and establish long-term footholds within internal networks.

Anatomy of the Exploit: What CVE-2025-49706 & 49704 Allow

Both vulnerabilities, discovered in SharePoint Server 2016, 2019, and Subscription Editions, stem from improperly validated user input in the SharePoint ToolPane endpoint.

The attack sequence unfolds as follows:

  • Initial Access: The attacker sends a crafted HTTP request to the vulnerable endpoint.
  • Web Shell Deployment: Malicious files such as spinstall0.aspx are dropped in the SharePoint directory.
  • Credential Theft: By extracting Machine Key values from the server’s configuration, the attackers decrypt ASP.NET view states and authentication tokens.
  • Persistence and Lateral Movement: Remote access is maintained using web shells that mimic legitimate processes.

What makes this more dangerous is how these exploits bypass normal detection protocols. The dropped malware cleverly masquerades as Edge browser GPU processes and communicates over Google’s Client Update Protocol (CUP), making malicious traffic almost indistinguishable from routine software updates.

Key Stats that Should Scare You

  • 43% of SharePoint servers scanned globally remain unpatched 30 days after Microsoft’s security update.
  • 200% surge in exploit attempts traced back to IPs historically linked to APT27 and APT31.
  • 38% of enterprises still do not rotate MachineKeys regularly, leaving them vulnerable to long-term credential theft.
  • 70% of ransomware infections now start through exploitation of unpatched software, according to Verizon’s 2025 DBIR.

Who Are These Threat Groups?

1. Linen Typhoon (APT27)

Known for cyber espionage, targeting military, aerospace, and energy sectors globally. Suspected links to the Chinese Ministry of State Security.

2. Violet Typhoon (APT31)

Specializes in spear-phishing and custom malware. Recently observed deploying information stealers and remote access trojans via SharePoint exploits.

3. Storm-2603

A rising threat actor connected to ransomware groups like LockBit. Uses web shell access for staging extortion campaigns.

These aren’t simple ransomware gangs operating for quick cash. They are well-funded, patient, and persistent—backed by state actors with long-term geopolitical objectives.

How to Protect Your Organization — Today

1. Patch All SharePoint Servers Immediately

Ensure all on-prem versions of SharePoint 2016, 2019, and Subscription Edition are updated with Microsoft’s July security patches. This addresses both CVE-2025-49706 and 49704.

2. Rotate Machine Keys

Compromised MachineKeys allow attackers to decrypt session data and impersonate users. Rotate your machineKey values in web.config, then restart IIS to invalidate existing sessions.

3. Enable AMSI (Antimalware Scan Interface)

Configure Microsoft Defender in full-scan mode. This helps detect malicious .aspx web shells and suspicious script activity within SharePoint environments.

4. Monitor for Known IoCs

Scan logs and endpoints for the following Indicators of Compromise (IoCs):

  • File names like spinstall0.aspx, update.aspx, or xsvc.aspx
  • Unexpected outbound traffic to domains mimicking Google or Microsoft updates
  • Anomalies in SharePoint application pool behaviour

5. Implement Zero Trust Architecture

Assume breach. Enforce least privilege access, segment your network, and validate user behaviour continuously.

Tools and Frameworks to Help

If you're unsure about where to start, Digialert recommends:

  • Microsoft Defender for Endpoint – with EDR for SharePoint-specific threats
  • Sysmon + Sigma Rules – for detailed process monitoring
  • MITRE ATT&CK Framework – to map attacker behavior and response plans
  • YARA Rules for Web Shell Detection – customized for SharePoint artifacts

Need Help? Digialert Has You Covered

Whether you’re a startup or a Fortune 500 enterprise, Digialert’s Threat Response Team offers:

  • Free SharePoint Vulnerability Assessments
  • Web Shell Hunting & Threat Containment
  • Custom Patch Management Programs
  • 24/7 Incident Response for Zero-Day Exploits

Time is critical. These aren’t theoretical risks—they’re active, coordinated campaigns by skilled adversaries. Waiting another week may be too late.

Final Thoughts

Cybersecurity is no longer just an IT concern—it’s a business continuity imperative. The sophistication and scale of these SharePoint-based attacks demonstrate how legacy infrastructure can become the biggest liability if not maintained properly.

Companies that continue to delay patches or skip behavioural monitoring are placing their customers, data, and reputation in harm’s way. Meanwhile, attackers aren’t taking days off.

Ask yourself:

  • Have we patched all our systems?
  • Have we validated there’s no backdoor already in place?
  • Are we monitoring for behavioural anomalies?

If the answer is no or unsure, then your organization is already at risk.

Call to Action

  • Is your SharePoint environment secure?
  • Comment below or message us for a free vulnerability assessment.

Follow Digialert for real-time threat alerts and actionable cybersecurity intelligence.

Don’t forget to follow Digialert and VinodSenthil on LinkedIn for more critical insights like this.

Read 10 times Last modified on 23 July 2025
Published in Others
Kaliraj

Latest from Kaliraj

More in this category: « New Iran-Linked DCHSpy Android Malware Threatens Middle East – How Secure Is Your Mobile Data?
back to top

Information

digiALERT is a rapidly growing new-age premium cyber security services firm. We are also the trusted cyber security partner for more than 500+ enterprises across the globe. We are headquartered in India, with offices in Santa Clara, Sacremento , Colombo , Kathmandu, etc. We firmly believe as a company, you focus on your core area, while we focus on our core area which is to take care of your cyber security needs.

Recent blog post

Company

Photos

Request a Quote