CybersecurityVulnerability

SharePoint Server Vulnerabilities Exploited by Multiple Threat Actors

11 months agoUS
SharePoint Server Vulnerabilities Exploited by Multiple Threat ActorsSource: reuters.com
On-premises SharePoint Servers are under active attack, with multiple threat actors exploiting recently disclosed vulnerabilities. These vulnerabilities, dubbed ToolShell, allow attackers to bypass security measures and gain unauthorized access to sensitive information. Immediate action is required to patch affected servers and implement mitigation strategies.

Key Insights

Multiple threat actors, including Chinese nation-state groups like Linen Typhoon and Violet Typhoon, and the ransomware-deploying group Storm-2603, are exploiting SharePoint Server vulnerabilities.

The vulnerabilities include CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771, affecting SharePoint Server Subscription Edition, 2019, and 2016.

Exploitation allows attackers to bypass MFA and SSO, deploy web shells (e.g., spinstall0.aspx), steal MachineKeys, and potentially deploy ransomware like Warlock and Lockbit.

Microsoft has released security updates to address these vulnerabilities; immediate patching is crucial.

Mitigation steps include enabling AMSI, rotating SharePoint server ASP.NET machine keys, and deploying Microsoft Defender for Endpoint or equivalent solutions.

Why This Matters: Unpatched SharePoint servers can serve as an easy entry point for attackers, leading to data theft, ransomware deployment, and significant business disruption. The involvement of nation-state actors elevates the risk, as they often have advanced capabilities and persistent objectives.

In-Depth Analysis

Background:

In July 2025, Microsoft disclosed active attacks targeting on-premises SharePoint servers, exploiting CVE-2025-49706 and CVE-2025-49704. These vulnerabilities affect on-premises SharePoint servers only and do not impact SharePoint Online in Microsoft 365. Comprehensive security updates have been released for supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) to protect against these vulnerabilities.

Technical Breakdown:

The attackers exploit a combination of vulnerabilities, including the newly disclosed CVE-2025-53770 and CVE-2025-53771, alongside previously patched vulnerabilities. This allows them to bypass authentication, execute arbitrary code, and deploy malicious web shells.

Observed tactics include:

Reconnaissance and exploitation attempts through POST requests to the ToolPane endpoint.

Web shell deployment (e.g., spinstall0.aspx) to steal MachineKey data.

Persistence mechanisms such as scheduled tasks and manipulation of IIS components.

Credential access using Mimikatz.

Lateral movement using PsExec and Impacket.

GPO modification to distribute ransomware.

Impact:

Successful exploitation can lead to:

Data theft

Ransomware deployment

Compromise of other integrated Microsoft services like Office, Teams, OneDrive, and Outlook.

How to Prepare:

Apply the latest security updates for SharePoint Server.

Enable and configure Antimalware Scan Interface (AMSI) with Full Mode.

Rotate SharePoint Server ASP.NET machine keys and restart IIS.

Deploy Microsoft Defender for Endpoint or an equivalent EDR solution.

Implement an incident response plan.

Who This Affects Most:

Organizations that rely on on-premises SharePoint servers, especially those with internet-facing deployments, are at the highest risk. Government organizations, telecommunications companies, and international organizations are particularly attractive targets for certain threat actors.

FAQs

Q: What SharePoint versions are affected?

SharePoint Server Subscription Edition, 2019, and 2016 are affected. SharePoint Online in Microsoft 365 is not affected.

Q: What are the key vulnerabilities being exploited?

CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771.

Q: How can I protect my SharePoint server?

Apply the latest security updates, enable AMSI, rotate machine keys, and deploy an EDR solution.

Key Takeaways

On-premises SharePoint servers are under active attack.

Multiple threat actors, including nation-state groups, are involved.

Immediate patching and implementation of mitigation steps are crucial to prevent exploitation and data compromise.

Keep systems updated and monitor for suspicious activity.

Discussion

Do you think these vulnerabilities will continue to be a popular attack vector? Share your thoughts in the comments below!

Share this article with others who need to stay ahead of this trend!

View Original Source

⚠ Disclaimer: Yanuki provides article summaries and links for reference only. Yanuki does not endorse, verify, or guarantee the accuracy of third-party sources. Please review original sources and verify information independently. Managed by the Yanuki Data Engine. Full Disclaimer