- Blog
- SharePoint
- Post
Chinese State-Backed Hackers Exploit SharePoint Zero-Days to Breach Global Targets
Chinese threat actors exploit SharePoint flaws in coordinated global cyberattacks.
Key Takeaways:
- Chinese state-backed groups are exploiting zero-day flaws in SharePoint servers.
- Over 50 organizations worldwide have already been compromised.
- Microsoft has issued urgent patches and mitigation guidance for affected systems.
Microsoft has disclosed that Chinese state-sponsored threat actors are actively exploiting critical vulnerabilities in on-premises SharePoint servers to launch global cyberattacks. So far, Microsoft researchers have confirmed breaches at more than 54 organizations across multiple countries.
According to the Microsoft Threat Intelligence team, Microsoft has observed three China-based state-backed groups (dubbed Linen Typhoon and Violet Typhoon, and Storm-2603) exploiting the zero-day SharePoint vulnerabilities to break into vulnerable SharePoint servers.
Microsoft has recently released security updates to patch two security vulnerabilities (tracked as CVE-2025-49704 and CVE-2025-49706) affecting on-premises SharePoint servers. These flaws could allow hackers to bypass authentication and execute malicious code over the network. These bugs affected SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016.
Details of the two-stage SharePoint attack campaign
The first wave of attacks began on July 18, with hackers deploying a PowerShell-based backdoor on vulnerable SharePoint servers. A second wave followed on July 19, focusing on delivering similar payloads designed to steal sensitive data from targeted systems. Cybersecurity researchers have identified compromised SharePoint servers in multiple countries, including Brazil, Canada, Indonesia, Spain, South Africa, Switzerland, the UK, and the US.
“In observed attacks, threat actors send a crafted POST request to the SharePoint server, uploading a malicious script named spinstall0.aspx. Actors have also modified the file name in a variety of ways, such as spinstall.aspx, spinstall1.aspx, spinstall2.aspx, etc. The spinstall0.aspx script contains commands to retrieve MachineKey data and return the results to the user through a GET request, enabling the theft of the key material by threat actors,” the Microsoft Threat Intelligence team explained.
Microsoft urges immediate patching and mitigation
Microsoft has warned that the hacking groups would continue to target unpatched SharePoint Servers worldwide. The company has recommended that all customers install the security patches for the SharePoint zero-days immediately.
Microsoft also recommends that administrators review and rotate all relevant SharePoint and Active Directory credentials, along with any system tokens or secrets. Additional mitigation steps include reducing externally exposed SharePoint services, enabling the Antimalware Scan Interface, rotating machine keys, and ensuring hardened configurations are implemented across the enterprise network.
Rabia has a master's degree in Software Engineering and she has years of experience writing professionally about Microsoft products and other technologies. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on t...