Microsoft issues emergency patches as three Chinese threat groups exploit zero-day flaws to deploy ransomware and steal sensitive data from thousands of organizations worldwide.
Microsoft has released critical security updates to address two zero-day vulnerabilities in on-premises SharePoint servers that have been under active exploitation since July 7, 2025.
The vulnerabilities, tracked as CVE-2025-53770 (SharePoint ToolShell Auth Bypass and RCE) and CVE-2025-53771 (SharePoint ToolShell Path Traversal), represent patch bypasses for previously disclosed flaws and have already compromised thousands of organizations globally.
The "ToolShell" attack was originally devised by Viettel Cyber Security researchers and demonstrated at the Pwn2Own contest in Berlin, but has now been weaponized by multiple threat actors in large-scale campaigns.
Attackers craft malicious serialized data that is improperly deserialized by the server, leading to unauthenticated remote code execution with no prior access or user interaction required.
Chinese State Actors Leading the Assault
Microsoft's threat intelligence team has identified three distinct Chinese threat groups actively exploiting these vulnerabilities. Linen Typhoon and Violet Typhoon—both established state-sponsored actors—are conducting espionage operations targeting government, defense, and strategic organizations. More concerningly, a third group called Storm-2603 has been deploying Warlock ransomware in compromised environments since July 18.
"Storm-2603 established persistence through multiple mechanisms, including web shells and scheduled tasks, then used Mimikatz to extract credentials and move laterally using PsExec and the Impacket toolkit," Microsoft researchers warned in their advisory.
The attackers deploy web shells named variations of spinstall0.aspx that can steal SharePoint's encryption keys (MachineKey data), allowing them to maintain access even if the web shell is removed. This persistence mechanism makes complete remediation extremely challenging.
Immediate Action Required
The vulnerabilities can be chained together to allow unauthenticated threat actors to access restricted functionality and run arbitrary commands on vulnerable SharePoint instances. Only on-premises SharePoint servers are affected—SharePoint Online in Microsoft 365 remains secure.
Organizations must immediately apply Microsoft's comprehensive security updates for SharePoint Server 2016, 2019, and Subscription Edition. Additionally, Microsoft strongly recommends enabling the Antimalware Scan Interface (AMSI) in Full Mode, rotating ASP.NET machine keys, and restarting Internet Information Services (IIS) on all SharePoint servers.
"With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched systems," the company stated, emphasizing the critical nature of immediate patching.
The scale and sophistication of these attacks underscore the urgent need for organizations to prioritize SharePoint security and implement comprehensive defense-in-depth strategies.