Loading
Yanuki
ARTICLE DETAIL
SharePoint Server Vulnerabilities Exploited by Multiple Threat Actors | US Military Shifts to Copycat Drones Amid Munitions Concerns | Conduent Data Breach Impacts Millions: What You Need to Know | Conduent Data Breach Exposes Millions of Americans | Why Smart People Fall For Phishing Attacks | Building AI-Enabled Cybersecurity Resilience | CISOs to Pour 2026 Budgets into AI as Cybersecurity Priorities Shift | Record Data Breaches in 2025: Key Takeaways and What It Means for You | Why Incident Response Plans Often Fail | SharePoint Server Vulnerabilities Exploited by Multiple Threat Actors | US Military Shifts to Copycat Drones Amid Munitions Concerns | Conduent Data Breach Impacts Millions: What You Need to Know | Conduent Data Breach Exposes Millions of Americans | Why Smart People Fall For Phishing Attacks | Building AI-Enabled Cybersecurity Resilience | CISOs to Pour 2026 Budgets into AI as Cybersecurity Priorities Shift | Record Data Breaches in 2025: Key Takeaways and What It Means for You | Why Incident Response Plans Often Fail

Cybersecurity / Vulnerability

SharePoint Server Vulnerabilities Exploited by Multiple Threat Actors

On-premises SharePoint Servers are under active attack, with multiple threat actors exploiting recently disclosed vulnerabilities. These vulnerabilities, dubbed ToolShell, allow attackers to bypass security measures and gain unauthorized ac...

Microsoft says some SharePoint server hackers now using ransomware
Share
X LinkedIn

weapons
SharePoint Server Vulnerabilities Exploited by Multiple Threat Actors Image via Reuters

Key Insights

  • Multiple threat actors, including Chinese nation-state groups like Linen Typhoon and Violet Typhoon, and the ransomware-deploying group Storm-2603, are exploiting SharePoint Server vulnerabilities.
  • The vulnerabilities include CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771, affecting SharePoint Server Subscription Edition, 2019, and 2016.
  • Exploitation allows attackers to bypass MFA and SSO, deploy web shells (e.g., spinstall0.aspx), steal MachineKeys, and potentially deploy ransomware like Warlock and Lockbit.
  • Microsoft has released security updates to address these vulnerabilities; immediate patching is crucial.
  • Mitigation steps include enabling AMSI, rotating SharePoint server ASP.NET machine keys, and deploying Microsoft Defender for Endpoint or equivalent solutions.

In-Depth Analysis

**Background:** In July 2025, Microsoft disclosed active attacks targeting on-premises SharePoint servers, exploiting CVE-2025-49706 and CVE-2025-49704. These vulnerabilities affect on-premises SharePoint servers only and do not impact SharePoint Online in Microsoft 365. Comprehensive security updates have been released for supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) to protect against these vulnerabilities.

**Technical Breakdown:** The attackers exploit a combination of vulnerabilities, including the newly disclosed CVE-2025-53770 and CVE-2025-53771, alongside previously patched vulnerabilities. This allows them to bypass authentication, execute arbitrary code, and deploy malicious web shells.

Observed tactics include:

  • Reconnaissance and exploitation attempts through POST requests to the ToolPane endpoint.
  • Web shell deployment (e.g., spinstall0.aspx) to steal MachineKey data.
  • Persistence mechanisms such as scheduled tasks and manipulation of IIS components.
  • Credential access using Mimikatz.
  • Lateral movement using PsExec and Impacket.
  • GPO modification to distribute ransomware.

**Impact:** Successful exploitation can lead to:

  • Data theft
  • Ransomware deployment
  • Compromise of other integrated Microsoft services like Office, Teams, OneDrive, and Outlook.

**How to Prepare:**

  • Apply the latest security updates for SharePoint Server.
  • Enable and configure Antimalware Scan Interface (AMSI) with Full Mode.
  • Rotate SharePoint Server ASP.NET machine keys and restart IIS.
  • Deploy Microsoft Defender for Endpoint or an equivalent EDR solution.
  • Implement an incident response plan.

**Who This Affects Most:** Organizations that rely on on-premises SharePoint servers, especially those with internet-facing deployments, are at the highest risk. Government organizations, telecommunications companies, and international organizations are particularly attractive targets for certain threat actors.

Read source article

FAQ

What SharePoint versions are affected?

SharePoint Server Subscription Edition, 2019, and 2016 are affected. SharePoint Online in Microsoft 365 is not affected.

What are the key vulnerabilities being exploited?

CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771.

How can I protect my SharePoint server?

Apply the latest security updates, enable AMSI, rotate machine keys, and deploy an EDR solution.

Takeaways

  • On-premises SharePoint servers are under active attack.
  • Multiple threat actors, including nation-state groups, are involved.
  • Immediate patching and implementation of mitigation steps are crucial to prevent exploitation and data compromise.
  • Keep systems updated and monitor for suspicious activity.

Discussion

Do you think these vulnerabilities will continue to be a popular attack vector? Share your thoughts in the comments below!

Share this article with others who need to stay ahead of this trend!

Sources

Microsoft says some SharePoint server hackers now using ransomware Disrupting active exploitation of on-premises SharePoint vulnerabilities ToolShell: An all-you-can-eat buffet for threat actors

Disclaimer

This article was compiled by Yanuki using publicly available data and trending information. The content may summarize or reference third-party sources that have not been independently verified. While we aim to provide timely and accurate insights, the information presented may be incomplete or outdated.

All content is provided for general informational purposes only and does not constitute financial, legal, or professional advice. Yanuki makes no representations or warranties regarding the reliability or completeness of the information.

This article may include links to external sources for further context. These links are provided for convenience only and do not imply endorsement.

Always do your own research (DYOR) before making any decisions based on the information presented.

Related Stories

Military & Defense / Drones and Missiles

US Military Shifts to Copycat Drones Amid Munitions Concerns

The United States military has begun deploying low-cost, one-way attack drones in combat, mirroring tactics used by Iran. This shift comes amid growing concerns about the depletion of US munitions stockpiles, particularly Tomahawk cruise mi...

The US burned through more of its limited Tomahawk stockpile in strikes on Iran. It might need them in a war with China.

Cybersecurity / Data Breach

Conduent Data Breach Impacts Millions: What You Need to Know

A significant data breach at Conduent, a business services provider, has exposed the sensitive personal and medical information of millions of individuals across the United States. This incident has triggered investigations and lawsuits, ra...

Massive data breach at N.J. company that exposed millions being investigated as lawsuits are filed

Cybersecurity / Data Breaches

Conduent Data Breach Exposes Millions of Americans

A significant data breach at Conduent, a major government tech contractor, has impacted millions of Americans, exposing sensitive information like Social Security numbers and medical data. This incident highlights the increasing risks assoc...

Conduent data breach impacts more than 181,000 New Hampshire residents

Cybersecurity / Phishing

Why Smart People Fall For Phishing Attacks

Despite advancements in cybersecurity, phishing attacks remain a persistent threat, often exploiting human psychology and cognitive biases. This article explores why even smart people fall victim to these scams and offers strategies for sta...

Why Smart People Fall For Phishing Attacks

Cybersecurity / AI Security

Building AI-Enabled Cybersecurity Resilience

Artificial intelligence is fundamentally changing the cybersecurity landscape. Organizations are shifting their focus to AI-driven solutions to enhance resilience against increasingly sophisticated AI-enabled cyber threats. This article exp...

How can we build intelligent resilience against cyber threats in the age of AI

Cybersecurity / AI

CISOs to Pour 2026 Budgets into AI as Cybersecurity Priorities Shift

A recent survey by Glilot Capital indicates a major shift in cybersecurity investment, with nearly 80% of CISOs planning to allocate significant portions of their 2026 budgets to AI-driven cybersecurity solutions and automation. This reflec...

These A.I. Dreamers Don’t Fit the Stereotype

Cybersecurity / Data Breaches

Record Data Breaches in 2025: Key Takeaways and What It Means for You

2025 saw a record number of data breaches, according to a recent report. While the number of breaches increased, the number of victim notifications decreased, suggesting a shift towards smaller, more targeted attacks. This article summarize...

Report finds record number of data breaches in 2025

Cybersecurity / Incident Response

Why Incident Response Plans Often Fail

Cybersecurity incidents can significantly disrupt operations and lead to substantial financial losses. Organizations often find that their incident response plans fall short when faced with real-world challenges. Understanding why these pla...

Why incident response breaks down when it matters most