Microsoft confirmed that China-linked groups Linen Typhoon, Violet Typhoon, and Storm-2603 exploited SharePoint flaws for initial access as early as July 7, 2025.
“As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers.” reads a report published by Microsoft. “In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities.”
The tech giant warns that more threat actors are adopting SharePoint exploits and expects continued attacks on unpatched on-premise systems.
Microsoft observed threat actors scanning and attacking on-prem SharePoint servers by sending POST requests to the ToolPane endpoint. If successful, the attackers bypassed authentication and used a malicious script (like spinstall0.aspx) to steal sensitive cryptographic keys (MachineKey data). In some cases, the attackers renamed the script slightly to avoid detection. Microsoft shared indicators of compromise (IOCs) and hunting tools to detect these attacks.
Below is a short description of China-nexus groups that exploited the ToolShell flaws:
Microsoft provides the following mitigations for CVE-2025-53770/53771:
SentinelOne researchers also identified three attack clusters with different tactics, while the attribution remains ongoing. All clusters targeted high-value SharePoint deployments, with a clear emphasis on persistence and access via cryptographic key theft, rather than immediate system control.
While SentinelOne did not attribute the attack to a specific threat actor, The Washington Post, citing its source, reported that the attacks targeted SharePoint servers were likely conducted by unnamed China-linked threat actors.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)