Mitigating Active Exploitation of On-Premises SharePoint Vulnerabilities

Microsoft Threat Intelligence reports on recent attacks exploiting SharePoint vulnerabilities, with actionable defense steps for organizations. This summary highlights author guidance for defenders and SharePoint administrators facing these advanced threats.

Mitigating Active Exploitation of On-Premises SharePoint Vulnerabilities

Overview

Recent activity tracked by Microsoft Threat Intelligence highlights active exploitation of critical vulnerabilities in on-premises SharePoint Server by Chinese nation-state actors Linen Typhoon and Violet Typhoon, as well as Storm-2603. These attacks have resulted in web shell deployment and credential theft, with confirmed ransomware incidents. Microsoft urges urgent action to patch and harden affected SharePoint environments.

Key Vulnerabilities and Impacted Versions

• Vulnerabilities:
  • CVE-2025-53770: ToolShell Auth Bypass and RCE
  • CVE-2025-49704: Remote Code Execution
  • CVE-2025-53771: Path Traversal
  • CVE-2025-49706: Post-auth RCE
• Affected Products:
  • SharePoint Server Subscription Edition
  • SharePoint Server 2019
  • SharePoint Server 2016

Threat Actor Activity

• Storm-2603 exploited SharePoint flaws to deploy ransomware following initial access via tailored payloads like spinstall0.aspx web shell.
• Linen Typhoon and Violet Typhoon performed reconnaissance, exploitation, persistence, and credential theft targeting government and private sector entities.

Attack Chain & Tactics

• Initial Access: POST request to ToolPane endpoint exploits SharePoint vulnerability.
• Web Shell Deployment: Uploads like spinstall0.aspx, enabling device control and credential extraction.
• Persistence: Scheduled tasks, IIS manipulation to load suspicious .NET assemblies.
• Credential Access: Use of tools such as Mimikatz (LSASS dumping) and Impacket for lateral movement.
• Impact: Deployment of ransomware (Warlock, Lockbit), modification of Group Policy Objects for ransomware distribution.
• Disabling AV: Abuse of services.exe for registry modifications disabling Microsoft Defender.

Indicators of Compromise (IOCs)

• Malicious files: spinstall0.aspx, IIS_Server_dll.dll, SharpHostInfo.x64.exe, xd.exe, debug_dev.js
• Hashes, file paths, and C2 domains provided for precise threat hunting.

Mitigation and Protection Guidance

1. Upgrade and Patch: Use supported SharePoint versions (2016/2019/Subscription Edition) and apply all latest security updates.
2. Enable AMSI and Defender: Integrate Antimalware Scan Interface (enable Full Mode) and Microsoft Defender Antivirus on all servers.
3. Deploy Defender for Endpoint: Detection and response for post-exploit activity.
4. Rotate Machine Keys: Use PowerShell (Set-SPMachineKey) or Central Admin to rotate ASP.NET machine keys.
5. Restart IIS: Use iisreset.exe on all affected servers.
6. Incident Response: Implement your IR plan immediately. Review logs for known IOCs.
7. Additional Hardening:
   • Set up block mode for Microsoft Defender EDR.
   • Enable LSASS protection, credential guard, attack surface reduction rules, and tamper protection.
   • Limit internet exposure and use VPN/proxy with authentication if AMSI cannot be enabled.

Detection and Hunting

• Use provided hashes and file paths from this report for threat hunting.
• Employ advanced hunting queries for Microsoft Defender XDR and vulnerability management.

References & Further Reading

• Microsoft Security Blog: Disrupting exploitation of on-premises SharePoint vulnerabilities
• MSRC Blog on CVE-2025-53770
• SharePoint and AMSI Integration

---

Note from Microsoft Threat Intelligence: Continued vigilance and timely patching are critical. Monitor for new indicators and mitigation guidance as investigations continue.

This post appeared first on “Microsoft Security Blog”. Read the entire article here