The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert after discovering that Chinese state-linked hackers are actively exploiting serious vulnerabilities in Microsoft SharePoint Server. These flaws, identified as CVE‑2025‑49704, CVE‑2025‑49706, and later CVE‑2025‑53770 and CVE‑2025‑53771, allow attackers to bypass authentication and remotely execute code on unpatched SharePoint servers. The exploitation of these vulnerabilities has already begun in the wild, prompting CISA to demand immediate patching by all federal civilian agencies.

According to security researchers, the attacks started around July 7, 2025, and quickly escalated. Hackers have combined multiple vulnerabilities into a single attack method now referred to as “ToolShell.” This technique allows them to gain full control of vulnerable servers, steal encryption keys, and move laterally inside networks. Microsoft confirmed that this exploitation is ongoing and that attackers are targeting government agencies, universities, and energy companies across the United States and abroad.

CISA has given federal agencies a strict deadline to apply patches no later than July 23, 2025. This directive also encourages state governments and private sector organizations to urgently update their systems. Experts say these attacks are particularly dangerous because even organizations that had patched earlier flaws may still be vulnerable due to newly discovered bypasses. Microsoft has released multiple security updates to fix the vulnerabilities, but unpatched systems remain at high risk.

Several advanced persistent threat (APT) groups linked to China, including APT27 (also known as Linen Typhoon), APT31 (Violet Typhoon), and Storm‑2603, are believed to be behind the attacks. Some of these groups have been known to target critical infrastructure and are thought to be working on behalf of the Chinese government. Microsoft and threat intelligence firms confirmed that at least one of the hacking groups involved has strong ties to the Chinese state.

Reports suggest that nearly 100 organizations have already been targeted. This includes a mix of federal and state government agencies, academic institutions, energy providers, and private companies. The attackers seem to be using stolen credentials, malicious scripts, and webshells to maintain long-term access to systems, even after initial compromise. They are also using the vulnerabilities to extract sensitive files and spy on internal communications.

Microsoft first addressed the initial vulnerabilities with patches released on July 8, 2025. However, it was later discovered that attackers could bypass those protections using new flaws, leading to the release of additional emergency patches on July 19. These flaws allow attackers to trick SharePoint into treating them as legitimate users, making the threat extremely hard to detect without thorough monitoring.

Security experts are advising all SharePoint users, especially those running on-premises versions like SharePoint Server 2016, 2019, and Subscription Edition, to apply the latest patches without delay. Microsoft 365 SharePoint Online is not affected. In addition to patching, Microsoft recommends enabling Defender Antivirus with AMSI scanning, rotating machine keys, and reviewing network logs for unusual activity.

CISA and Microsoft both warn that organizations should assume they may have already been compromised if they haven’t applied the latest updates. Some signs of compromise include suspicious HTTP POST requests, especially to pages like /_layouts/15/ToolPane.aspx, and unknown files on the server. If patching is not immediately possible, organizations are advised to take their servers offline until they can secure them.

The ongoing attacks highlight how quickly threat actors can take advantage of newly discovered flaws, even in widely used enterprise software like SharePoint. Researchers say proof-of-concept code has already leaked online, making it easier for other hackers to replicate the exploit. This raises serious concerns for public and private sector organizations that rely heavily on SharePoint for internal communication and data storage.

These attacks have been described by cybersecurity experts as some of the most significant seen in recent years. They demonstrate the importance of timely patching, strong network monitoring, and coordination between government and private organizations in responding to cyber threats. As the situation develops, CISA continues to monitor the threat and urges all organizations to stay alert and act fast to protect their systems.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news