Chinese Hackers Exploit Microsoft SharePoint Zero-Day CVE-2025-53770: US Government Agencies Breached

A critical zero-day vulnerability in Microsoft SharePoint has triggered widespread cyberattacks across the globe, affecting businesses, government agencies, and educational institutions. The attack exploits a previously unknown security flaw that allows hackers to gain complete control over on-premises SharePoint servers without authentication. Microsoft has now directly attributed these attacks to Chinese state-sponsored hacking groups.

Scale and Impact of the Attack

Microsoft confirmed active exploitation of the SharePoint vulnerability beginning as early as July 7, 2025, with the attack affecting organizations across multiple critical sectors.

The compromised entities include government agencies, defense contractors, strategic planning organizations, human rights groups, NGOs, think tanks, higher education institutions, digital and print media organizations, and financial and health-related sectors spanning the United States, Europe, and East Asia.

Multiple US government agencies were breached as part of this significant cyber espionage operation, with the scale of compromise continuing to expand as security researchers identify additional affected systems.

Current Scale of Compromise

The numbers are alarming:

• Over 400 organizations have been compromised according to Eye Security estimates, up from roughly 60 just days earlier
• More than 4,600 compromise attempts targeting over 300 organizations worldwide have been identified
• Over 9,717 on-premises SharePoint servers remain exposed to potential attacks according to Censys research
• Most victims are located in the United States, followed by Mauritius, Jordan, South Africa, and the Netherlands

Critical US Government Agency Breaches

Several high-profile US government agencies have been confirmed as victims:

Department of Energy (DOE) and National Nuclear Security Administration (NNSA)

• The National Nuclear Security Administration – the agency responsible for maintaining and designing the nation’s nuclear weapons stockpile – was among those breached
• Bloomberg reported that currently there is no evidence that sensitive or classified data was compromised

Department of Homeland Security (DHS)

• DHS confirmed it was hacked, though officials stated there is no evidence that hackers exfiltrated data from any of its components

Department of Health and Human Services (HHS)

• The CBS News reported that hackers also compromised HHS
• The National Institutes of Health was also impacted through the SharePoint flaws
• HHS officials said they are “actively monitoring, identifying and mitigating all risks” but provided no indication that information was breached

CBS News analyzes the Microsoft SharePoint ToolShell attack with cybersecurity expert Andy Boyd,
discussing how Chinese state-sponsored hackers exploited zero-day vulnerabilities to breach over
400 organizations worldwide, including critical U.S. government agencies.

Private Sector

Beyond government agencies, the attacks have severely impacted critical infrastructure and private organizations:

• Government agencies, telecommunications providers, and software companies have been primary targets
• Energy companies across multiple sectors have been compromised
• Universities and educational institutions have been affected
• Financial and healthcare organizations have reported breaches

The Vulnerabilities: CVE-2025-53770 and CVE-2025-53771

The primary vulnerability, officially designated as CVE-2025-53770, carries a critical CVSS score of 9.8 and enables unauthenticated remote code execution on affected SharePoint servers. A related vulnerability, CVE-2025-53771, addresses security bypass issues. These flaws are particularly dangerous because they allow attackers to bypass authentication mechanisms entirely and execute arbitrary code on vulnerable systems.

Understanding the Vulnerability Relationships

The Two Main Vulnerability Pairs:

CVE-2025-53770 and CVE-2025-49704

• CVE-2025-49704 was a previously disclosed SharePoint vulnerability that Microsoft had already patched
• CVE-2025-53770 is the new zero-day vulnerability that attackers are currently exploiting
• CVE-2025-53770 is described as “related to” CVE-2025-49704, meaning it’s likely a variant or bypass of the original vulnerability

CVE-2025-53771 and CVE-2025-49706

• CVE-2025-49706 was another previously disclosed SharePoint vulnerability
• CVE-2025-53771 is a new security bypass vulnerability
• CVE-2025-53771 specifically addresses security bypass issues related to the older CVE-2025-49706

How the ToolShell Attack Works

The SharePoint attack, officially known as “ToolShell,” exploits vulnerabilities CVE-2025-53770 and CVE-2025-53771 through a sophisticated multi-stage process that gives attackers complete control over on-premises SharePoint servers. This exploit chain was first demonstrated at Pwn2Own Berlin in May 2025 and has since become the standard methodology for attacking SharePoint servers.

A detailed breakdown can be found at Eye Security: https://research.eye.security/sharepoint-under-siege/

Stage 1: Authentication Bypass via ToolPane Endpoint (CVE-2025-53771)

The ToolShell attack begins by targeting the ToolPane endpoint specifically through crafted POST requests to:

/_layouts/15/ToolPane.aspx?DisplayMode=Edit

Attackers exploit a header spoofing vulnerability by using a forged Referer header pointing to /_layouts/SignOut.aspx. This tricks SharePoint’s authentication mechanisms into treating the request as legitimate, effectively bypassing all authentication requirements.

Stage 2: Malicious Payload Delivery (CVE-2025-53770)

With authenticated access to the vulnerable ToolPane endpoint, attackers exploit an unsafe deserialization vulnerability by submitting malicious payloads in the POST request body. SharePoint deserializes attacker-controlled data without proper validation, leading to remote code execution.

Stage 3: Web Shell Deployment

The exploit results in dropping a stealthy ASPX web shell, typically named spinstall0.aspx, into SharePoint’s layouts directory:

C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\

This web shell grants persistent remote access to the server and serves as the foundation for the “shell” component of the “ToolShell” name.

Stage 4: Cryptographic Key Extraction

The uploaded web shell extracts sensitive cryptographic material from the server’s machineKey configuration, including:

• Signing algorithms: Critical for forging valid tokens
• ValidationKey: Used for validating ASP.NET ViewState
• DecryptionKey: Used for decrypting ViewState data

Stage 5: Persistent Access Through Forged Tokens

Using tools like ysoserial, attackers craft malicious ViewState payloads that SharePoint will trust and deserialize. This capability allows them to:

• Survive system reboots and security updates
• Execute arbitrary commands with high privileges
• Maintain persistent access even after patches are applied

Attack Sophistication and Persistence

What makes this attack particularly concerning is its persistence mechanisms. Microsoft emphasizes that the injected code remains effective across system reboots and updates, meaning attackers can maintain access even after systems are patched.

The combination of web shell deployment and MachineKey theft creates multiple layers of persistent access, making complete remediation challenging for organizations. This is why Microsoft strongly recommends not only applying security patches but also rotating SharePoint server ASP.NET machine keys as a critical remediation step.

Chinese Attribution: Three State-Sponsored Groups Identified

Microsoft has definitively attributed the SharePoint attacks to Chinese state-sponsored hacking groups, marking a significant development in understanding the threat landscape.

Confirmed Chinese Threat Actors

Microsoft identified three specific Chinese hacking groups responsible for the attacks:

Linen Typhoon

• Active since 2012, focused on intellectual property theft
• Primarily targets government, defense, strategic planning, and human rights organizations
• Known for “drive-by compromises” and exploiting existing vulnerabilities

Violet Typhoon

• Active since 2015, specializing in espionage operations
• Targets former government and military personnel, NGOs, think tanks, higher education, media, and financial/healthcare sectors
• Operates across the U.S., Europe, and East Asia
• Persistently scans for vulnerabilities in exposed web infrastructure

Storm-2603

• Assessed with moderate confidence as a China-based threat actor
• Has been observed deploying Warlock and LockBit ransomware
• Starting on July 18, 2025, Microsoft observed Storm-2603 deploying ransomware using these vulnerabilities

Ransomware Component: The Emergence of Warlock

A particularly alarming development in this campaign is the deployment of Warlock ransomware, leveraging the SharePoint vulnerabilities. Microsoft has confirmed that the threat actor Storm-2603 is using these flaws to conduct ransomware attacks, marking a significant shift from pure espionage to a dual-threat strategy of data encryption and extortion. This shift in tactics involves attempts to steal MachineKeys, which would permit continued access to systems even after patching.

Warlock Ransomware Profile

Warlock is a sophisticated malware strain designed to encrypt a victim’s files and demand a ransom for their decryption. What makes Warlock especially dangerous in this scenario is its deployment through the already compromised SharePoint infrastructure. This method allows Storm-2603 to pivot from an intelligence-gathering operation to a destructive ransomware attack.

Deployment and Attack Strategy

Storm-2603 utilizes the compromised SharePoint servers as a staging ground for the Warlock ransomware deployment, following a multi-phased approach:

Phase 1: Intelligence Gathering and Network Infiltration

• Initial Access: The primary entry point is the exploitation of the SharePoint vulnerabilities to gain a foothold in the target network.
• Credential Theft and Persistent Access: Once inside, the attackers steal credentials and establish persistent access to maintain their presence.
• Network Reconnaissance: They then map the network infrastructure to identify high-value targets for the subsequent ransomware attack.

Phase 2: Ransomware Deployment and Impact

• Lateral Movement: Using the initial SharePoint compromise, the attackers move laterally to other systems within the organization.
• Group Policy Object (GPO) Manipulation: A key tactic is the modification of domain-level Group Policy Objects to distribute the Warlock ransomware across the entire network.
• Domain-Wide Encryption: This allows for the rapid, simultaneous encryption of files across multiple servers and workstations, maximizing the disruptive impact.
• Financial Extortion: The final stage involves demanding ransom payments for the decryption keys.

Implications of the Dual-Threat Approach

The integration of Warlock ransomware highlights several concerning trends:

• Expanding Tactics of State-Sponsored Actors: Traditional espionage-focused groups are increasingly adopting ransomware for financial gain or to create operational disruption.
• Weaponization of Infrastructure: Compromised enterprise systems are being repurposed as launchpads for subsequent, more destructive attacks.
• Evolution of Persistent Threats: Even after initial espionage goals are met, attackers can pivot to destructive actions, complicating incident response and recovery efforts.

This dual-threat strategy is particularly dangerous as it forces organizations to defend against both data exfiltration and the potential for complete system encryption.

Microsoft’s Security Response

Microsoft has released comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that fully protect customers against these vulnerabilities.

Required Security Updates

Critical Mitigation Steps

For a detailed instructions on mitigation and protection guidance: https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/#mitigation-and-protection-guidance

Microsoft emphasizes the following immediate actions:

1. Apply Latest Security Updates: Install comprehensive security updates immediately
2. Configure AMSI Integration: Enable Antimalware Scan Interface in Full Mode with Microsoft Defender Antivirus
3. Deploy Microsoft Defender for Endpoint: Or equivalent threat detection solutions
4. Rotate SharePoint Server ASP.NET Machine Keys: Critical step after applying updates
5. Restart IIS: Use iisreset.exe on all SharePoint servers
6. Disconnect Vulnerable Systems: If AMSI cannot be enabled, consider disconnecting from the internet until patches are applied

Advanced Threat Detection and Response

Microsoft provides extensive detection capabilities through Microsoft Defender XDR, which offers coordinated protection across endpoints, identities, email, and cloud apps. The platform includes:

• Vulnerability Management: Track CVE-2025-53770, CVE-2025-53771, CVE-2025-49704, and CVE-2025-49706
• External Attack Surface Management: Visibility into exposed SharePoint instances
• Advanced Hunting Queries: Comprehensive detection scripts for identifying exploitation activity
• Security Copilot Integration: AI-powered threat investigation capabilities

Key Indicators of Compromise

Microsoft has published detailed IOCs including:

• File names: spinstall0.aspx, IIS_Server_dll.dll, SharpHostInfo.x64.exe
• Malicious domains: msupdate.updatemicfosoft.com, c34718cbb4c6.ngrok-free.app
• Command and control IP addresses: 131.226.2.6, 65.38.121.198
• Multiple SHA-256 hashes for various malicious components

MITRE ATT&CK Framework Mapping

The attacks demonstrate sophisticated use of multiple MITRE ATT&CK techniques:

• Initial Access: T1190 (Exploit Public-Facing Application)
• Execution: T1059.001 (PowerShell), T1047 (WMI)
• Persistence: T1505.003 (Web Shell), T1053.005 (Scheduled Tasks)
• Credential Access: T1003.001 (LSASS Memory Dumping)
• Impact: T1486 (Data Encrypted for Impact)

Broader Security Implications

This attack highlights several critical cybersecurity concerns:

State-Sponsored Cyber Espionage

The definitive attribution to Chinese state-sponsored groups underscores the persistent threat of nation-state actors targeting critical infrastructure and sensitive government systems for espionage purposes.

Multi-Vector Attack Strategy

The combination of espionage operations with ransomware deployment shows how threat actors are diversifying their attack methods to maximize impact and potential financial gain.

Persistent Access Mechanisms

Microsoft emphasizes that these attacks are designed for persistence, with injected code remaining effective across system reboots and updates, making complete remediation challenging.

Conclusion

The SharePoint zero-day attack serves as a clear example of a sophisticated and persistent cyber threat that organizations worldwide must confront. The direct attribution to state-sponsored groups provides valuable intelligence for defenders and policymakers.

Organizations using on-premises SharePoint servers should prioritize immediate patching, AMSI configuration, machine key rotation, and enhanced monitoring to protect against both this specific threat and similar future attacks. The global scale and state-sponsored nature of this incident underscores that cybersecurity is not just a technical challenge, but a national security imperative.

Strengthen Your Server Security with Messageware

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Messageware offers powerful security solutions, including:

Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security stops AD account lockouts, eliminates brute force password attacks, provides intelligent GEO blocking, and prevents Exchange Server vulnerability probing. Enhance security through real-time collection and analysis of logon information, with advanced reporting, threat detection, and security controls.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.