Chinese State-Sponsored Hackers Exploit Microsoft SharePoint Zero-Days

On July 23, 2025, Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued urgent warnings about active exploitation of two zero-day vulnerabilities in on-premises Microsoft SharePoint servers by Chinese state-sponsored hacking groups. Tracked as CVE-2025-49704 (spoofing vulnerability, CVSS score: 8.8) and CVE-2025-49706 (remote code execution vulnerability), these flaws have been chained together in attacks dubbed "ToolShell" to enable credential theft and persistent access. Over 100 U.S. organizations, including those in government, telecommunications, and software sectors, have been targeted, with exploitation observed as early as July 7, 2025. This incident underscores escalating espionage risks, particularly to critical infrastructure. Below, we break down the vulnerabilities, attack methods, impacts, and recommended defenses.

The Vulnerabilities: CVE-2025-49704 and CVE-2025-49706

These zero-days affect on-premises Microsoft SharePoint servers, allowing attackers to bypass authentication and execute arbitrary code remotely.

• CVE-2025-49704 (Spoofing Vulnerability): Enables attackers to impersonate legitimate users or services, facilitating initial access without authentication.
• CVE-2025-49706 (Remote Code Execution): Allows execution of malicious code on the server, often leading to deployment of webshells for persistence.

The chain, known as ToolShell, targets the "/layouts/15/ToolPane.aspx" endpoint, exploiting flaws to steal cryptographic secrets and forge authentication tokens. Microsoft has released patches, but unpatched systems remain vulnerable to unauthenticated attacks.

Attack Vectors and Perpetrators

Chinese APT groups, including Linen Typhoon (aka Salt Typhoon), Violet Typhoon, and Storm-2603, have been linked to these exploits. These actors, affiliated with China's Ministry of State Security (MSS), target organizations for espionage, focusing on government, defense, and human rights entities.Key tactics include:

• Initial Exploitation: Targeting internet-exposed SharePoint servers with drive-by attacks to exploit the spoofing flaw, followed by RCE for code injection.
• Persistence and Exfiltration: Deploying webshells like ToolShell for long-term access, stealing credentials, and exfiltrating sensitive data.
• Observed IPs: Exploitation attempts from IPs like 104.238.159.149, 107.107.58.76, and 96.9.125.147, some tied to prior Ivanti exploits.

Attacks have hit over 54 organizations worldwide, with a focus on North America and Western Europe.

Impacts: Espionage Risks to Critical Infrastructure

This campaign heightens risks of intellectual property theft, network compromise, and disruption to critical sectors. By stealing cryptographic keys, attackers can maintain access even after initial exploits are patched, enabling prolonged espionage. Affected U.S. organizations exceed 100, amplifying concerns over supply chain security and national infrastructure vulnerabilities. Broader implications include eroded trust in Microsoft products and calls for enhanced international cyber diplomacy to counter state-sponsored threats.

Response and Mitigation: Urgent Patching Advised

Microsoft released patches on July 22, 2025, disrupting active exploits by updating SharePoint servers to block unauthenticated access. CISA added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to patch by July 23, 2025. Organizations are urged to:

• Apply Patches Immediately: Update to the latest SharePoint versions and enable multi-factor authentication (MFA) where possible.
• Monitor for IOCs: Scan for suspicious activity on ToolPane.aspx endpoints and check for webshells.
• Enhance Defenses: Implement network segmentation, restrict internet exposure of SharePoint servers, and deploy endpoint detection and response (EDR) tools.
• Incident Response: If compromised, reset credentials, audit logs, and collaborate with authorities.

This event highlights the persistent threat from nation-state actors, emphasizing the need for proactive patching and robust security hygiene to safeguard against espionage-driven exploits. For detailed guidance, refer to Microsoft's security blog and CISA advisories.