Microsoft Scrambles to Patch Active SharePoint Zero-Day Exploits as Chinese Threat Actors Target US Infrastructure

In a high-stakes cybersecurity emergency, Microsoft has rushed out patches for two critical zero-day vulnerabilities in on-premises SharePoint servers (CVE-2025-53770 and CVE-2025-53771) after confirming they were actively exploited by Chinese state-sponsored hackers. These flaws—a spoofing vulnerability rated "Important" and a remote code execution (RCE) flaw rated "Critical"—enabled attackers to compromise US federal agencies, state governments, universities, and energy companies, hijacking sensitive documents and system credentials.

How the Attack Unfolded

Security firm Eye Security first detected mass exploitation on July 18, with hackers deploying a tool dubbed "ToolShell" to chain the vulnerabilities:
- CVE-2025-53771: Allows spoofing to impersonate trusted users, bypassing single sign-on (SSO) and multi-factor authentication (MFA).
- CVE-2025-53770: Enables remote code execution, granting access to SharePoint content, system files, and cryptographic keys stored in the Windows MachineKeys folder.

"This exploit chain gives threat actors lateral movement capabilities across Windows domains," explains Trey Ford, CISO at Bugcrowd. "They can steal credentials, manipulate configurations, and pivot to connected services like Outlook or Teams."

Microsoft attributes the attacks to three Chinese APT groups:
1. Linen Typhoon: Targets government, defense, and human rights organizations for intellectual property theft.
2. Violet Typhoon: Focuses on espionage against NGOs, media, and financial sectors.
3. Storm‑2603: A newly identified group stealing cryptographic keys.

Why Initial Patches Failed

Microsoft’s July 8 Patch Tuesday updates (CVE-2025-49706/49704/49701) attempted to resolve these issues but were circumvented by attackers. The company admits the new patches provide "more robust protections," underscoring the difficulty of securing sprawling enterprise environments.

Ford notes: "Complex codebases and varied implementations make comprehensive patching nearly impossible. Organizations running legacy systems face exponential risk."

Immediate Mitigation Steps

For affected SharePoint versions:

1. Install Patches:
- SharePoint Server Subscription Edition: Download update
- SharePoint Server 2019: Download update

2. Critical Hardening Measures:
- Rotate SharePoint Server ASP.NET machine keys immediately (compromised keys allow persistent access).
- Enable Windows Antimalware Scan Interface (AMSI) with Defender Antivirus.
- Deploy Microsoft Defender for Endpoint.
- Audit internet-exposed SharePoint servers—limit accessibility to untrusted networks.

Warning: SharePoint Server 2016 remains unpatched. Monitor Microsoft’s guidance page for updates.

The Larger Threat Landscape

This incident reveals deeper industry vulnerabilities:
- On-Premises Peril: Cloud-based SharePoint Online is unaffected, emphasizing risks in self-hosted infrastructure.
- Patch Fatigue: Incomplete fixes erode trust; Ford stresses reducing attack surfaces by minimizing publicly exposed services.
- Nation-State Agility: APT groups weaponize flaws within days, outpacing enterprise response cycles.

As cyber-espionage tactics evolve, this breach serves as a stark reminder: in the arms race between defenders and state-backed hackers, proactive hardening and zero-trust architectures are non-negotiable.

Source: Microsoft fixes two SharePoint zero-days under attack by Lance Whitney for ZDNet.