Microsoft has issued urgent warnings about active exploitation of critical SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-53771 by multiple threat actors, including the China-based group Storm-2603, which has been deploying Warlock ransomware in compromised environments.
The vulnerabilities affect on-premises SharePoint Server 2016, 2019, and Subscription Edition, with exploitation attempts observed as early as July 7, 2025.
Key Takeaways
1. SharePoint zero-days CVE-2025-53770/53771 have been used to deploy web shells since July
2. Storm-2603, Linen/Violet Typhoon spreading Warlock ransomware.
3. Apply updates, enable AMSI, rotate keys, and restart IIS.
Critical SharePoint Flaws Exploited
The attack chain begins with the exploitation of CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution flaw affecting internet-facing SharePoint servers.
Threat actors conduct reconnaissance through POST requests to the ToolPane endpoint, followed by deployment of malicious web shells named spinstall0.aspx and variants such as spinstall1.aspx and spinstall2.aspx.
The web shell contains commands to retrieve ASP.NET MachineKey data, enabling attackers to steal cryptographic keys essential for session management and authentication.
Microsoft has identified the SHA-256 hash [92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514] associated with the primary spinstall0.aspx payload.
Post-exploitation activities involve abuse of the w3wp.exe process that supports SharePoint, with attackers using cmd.exe and services.exe to disable Microsoft Defender protections through direct registry modifications.
China’s Warlock Ransomware
Three primary threat actors have been identified exploiting these vulnerabilities: Linen Typhoon and Violet Typhoon, both established Chinese state-sponsored groups, and Storm-2603, which has escalated attacks to include ransomware deployment.
Storm-2603 establishes persistence through multiple mechanisms, including scheduled tasks and manipulation of Internet Information Services (IIS) components to load suspicious .NET assemblies.
The group performs credential access using Mimikatz to target Local Security Authority Subsystem Service (LSASS) memory, extracting plaintext credentials for lateral movement via PsExec and the Impacket toolkit.
Command and control infrastructure includes domains such as update.updatemicfosoft.com and IP addresses 65.38.121.198 and 131.226.2.6.
The attack culminates with the modification of Group Policy Objects (GPOs) to distribute Warlock ransomware across compromised networks.
Microsoft has released comprehensive security updates and strongly recommends immediate patching, enabling Antimalware Scan Interface (AMSI) in Full Mode, and rotating SharePoint server ASP.NET machine keys, followed by an IIS restart using iisreset.exe.
Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now
