Microsoft: China-Backed APTs Actively Exploiting SharePoint Flaws (CVE-2025-49704 & CVE-2025-49706)

Last week, the Microsoft Security Response Center (MSRC) issued an urgent advisory regarding active exploitation of critical vulnerabilities in on-premises SharePoint Server installations. The alert, triggered by mounting evidence of targeted attacks, emphasizes the severity of two exploited flaws—CVE-2025-49704 (remote code execution) and CVE-2025-49706 (spoofing)—which are being chained in real-world attacks to compromise unpatched systems.

“These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint Online in Microsoft 365,” Microsoft clarified. “Customers should apply these updates immediately to ensure they are protected.”

Microsoft has attributed these attacks to multiple China-based threat actors, including:

• Linen Typhoon, known for stealing intellectual property from government and defense sectors since 2012
• Violet Typhoon, targeting NGOs, academia, media, and healthcare in the U.S., Europe, and East Asia
• Storm-2603, associated with prior ransomware operations, including Lockbit and Warlock

These groups were observed exploiting CVE-2025-49704 and CVE-2025-49706 to gain unauthenticated access to internet-facing SharePoint servers. Microsoft notes that exploitation began as early as July 7, 2025, warning that “threat actors will continue to integrate [these vulnerabilities] into their attacks against unpatched on-premises SharePoint systems.”

After successful exploitation, attackers upload a malicious web shell—typically named spinstall0.aspx—which allows remote command execution. Variants like spinstall1.aspx, spinstall2.aspx, and others have also been observed. These scripts contain commands to extract ASP.NET MachineKey data, enabling attackers to impersonate legitimate users and escalate privileges.

“The spinstall0.aspx script contains commands to retrieve MachineKey data and return the results to the user… enabling the theft of the key material by threat actors,” the company explains.

Microsoft has released comprehensive security updates for all supported versions of SharePoint Server, including:

• SharePoint Server Subscription Edition (KB5002768)
• SharePoint Server 2019 (KB5002754 and KB5002753)
• SharePoint Server 2016 (KB5002760 and KB5002759)

Beyond patching, Microsoft advises organizations to:

• Enable AMSI (Antimalware Scan Interface) in Full Mode
• Deploy Microsoft Defender Antivirus or equivalent solutions
• Rotate ASP.NET MachineKeys and restart IIS
• Deploy Defender for Endpoint to detect post-exploit activity
• Disconnect internet-facing servers or limit unauthenticated access until patched

“If you cannot enable AMSI, we recommend you consider disconnecting your server from the internet… or using a VPN or proxy requiring authentication,” the advisory recommends.

Microsoft has also provided Indicators of Compromise (IOCs) and hunting queries to help defenders detect evidence of exploitation.

Related Posts:

• ToolShell: New SharePoint RCE Zero-Day Chain Under Active Global Exploitation
• Microsoft’s September Patch Tuesday: A Patchwork of Urgency with 4 Zero-Days Under Attack
• Microsoft Raises Server Prices: 10% Increase Coming
• FCC Takes Action to Strengthen Cybersecurity in Response to Salt Typhoon Cyberattack
• CVE-2024-38094 Exploited: Attackers Gain Domain Access via Microsoft SharePoint Server