Active Exploits Target SharePoint Servers

On July 19, 2025, Microsoft Security Response Center published a blog addressing active attacks against on-premises SharePoint servers that exploit CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability. These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint Online in Microsoft 365. Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. Customers should apply these updates immediately to ensure they are protected. 

These comprehensive security updates address newly disclosed security vulnerabilities in CVE-2025-53770 that are related to the previously disclosed vulnerability CVE-2025-49704. The updates also address the security bypass vulnerability CVE-2025-53771 for the previously disclosed CVE-2025-49706.

Three China-based threat groups, Linen Typhoon, Violet Typhoon, and Storm-2603, have been observed targeting exposed SharePoint infrastructure. Notably, Storm-2603 is now deploying Warlock ransomware following successful exploitation of disclosed vulnerabilities.

Storm-2603’s attack chain includes:

• Initial access via malicious POST requests exploiting CVE-2025-49706 and CVE-2025-49704.
• Command execution via w3p.exe and enumeration using whoami.
• Persistence through scheduled tasks and malicious .NET assemblies in IIS.
• Credential access using Mimikatz targeting LSASS.
• Lateral movement using PsExec and Impacket.
• Payload delivery via modified GPOs to distribute Warlock ransomware.

Microsoft strongly recommends:

• Installing all relevant security updates.
• Enabling Antimalware Scan Interface (AMSI) in Full Mode.
• Rotating ASP.NET machine keys.
• Restarting IIS services.
• Deploying Microsoft Defender for Endpoint of equivalent EDR solutions.