Microsoft Issues Urgent Warning: SharePoint Servers at Risk

Microsoft's Urgent SharePoint Warning

Microsoft Corp (NASDAQ: MSFT) has raised an alarm about active attacks targeting on-premises SharePoint servers. The company strongly advises organizations to apply newly released security updates promptly to mitigate risks.

Details of the Vulnerabilities

The security alert, published by the Microsoft Security Response Center, reveals that two significant vulnerabilities have been exploited: a spoofing flaw and a remote code execution vulnerability. State-sponsored actors are reportedly behind these attacks.

Impacted Versions of SharePoint

It's essential to note that these vulnerabilities do not affect SharePoint Online hosted on Microsoft 365. The security patches are available for supported versions of SharePoint Server, including Subscription Edition, 2019, and 2016.

Comprehensive Security Updates

In addition to addressing the main vulnerabilities, Microsoft has patched related issues identified as CVE-2025-53770 and a bypass vulnerability, CVE-2025-53771, providing a more thorough security remedy for affected systems.

Attribution of Exploitation Campaigns

Microsoft has attributed these ongoing exploitation campaigns to three threat actors based in China: Linen Typhoon, Violet Typhoon, and Storm-2603. These groups have been engaged in targeting publicly accessible SharePoint servers since a certain point in July.

Mechanism of the Attacks

In the observed attacks, threat actors send specially crafted POST requests to the ToolPane endpoint of SharePoint servers. This allows them to upload malicious ASP.NET scripts, often named with variations of "spinstall0.aspx." These scripts can extract MachineKey data through GET requests, potentially leading to further compromises of targeted systems.

Activity of Threat Actors

Linen Typhoon has been active since 2012, predominantly targeting government and defense sectors for the purpose of intellectual property theft. Violet Typhoon, on the other hand, has been operational since 2015, focusing on espionage within NGOs, media outlets, and educational institutions. Storm-2603 has earlier connections to ransomware activities, but its current intentions remain uncertain.

Microsoft's Ongoing Response

Microsoft is continuously monitoring the situation and urges system administrators to act swiftly. Delaying patching could expose systems to escalating threats.

Previous Flaws and Fixes

A recent security update from Microsoft did not fully address a critical flaw in SharePoint server software. This oversight left systems at risk of a large-scale cyber espionage campaign, affecting around 100 organizations.

Recent Bug Discovery

The vulnerability in question was first discovered during a cybersecurity competition held in Berlin, where a researcher revealed the existence of a serious flaw in Microsoft SharePoint, dubbed “ToolShell.” This finding showcased a method for executing attacks.

Current Stock Status

As a reflection of the market's reaction, MSFT stock registered a slight decline of 0.64%, trading at $502.05.

Frequently Asked Questions

What vulnerabilities is Microsoft warning about?

Microsoft has issued alerts about a spoofing flaw and a remote code execution vulnerability in on-premises SharePoint servers.

Who are the actors behind these attacks?

The attacks are reportedly attributed to three China-based groups: Linen Typhoon, Violet Typhoon, and Storm-2603.

What versions of SharePoint are affected?

The vulnerabilities affect on-premises versions of SharePoint Server, specifically Subscription Edition, 2019, and 2016.

What should organizations do?

Organizations must apply critical security patches provided by Microsoft to protect their systems from exploitation.

How is Microsoft responding to this situation?

Microsoft continues to monitor the threats and recommends prompt patching to avoid vulnerabilities in affected systems.

About The Author

Hello, I'm Thomas Cooper, a financial expert and writer passionate about helping people understand and navigate the financial world. Having a solid financial background and a lot of experience, my area of expertise is simplifying difficult financial ideas into useful, understandable guidance. My goal with my writings and blog entries is to provide you the information and resources you need to make wise financial choices.

I am thrilled to contribute my ideas and engage with a lively investor community at Investors Hangout, where I recently joined the team. My mission is to make finance interesting and approachable so you may take charge of your financial future. I appreciate you coming along on this path to success and financial knowledge.

Contact Thomas Cooper privately here. Or send an email with ATTN: Thomas Cooper as the subject to contact@investorshangout.com.

About Investors Hangout

Investors Hangout is a leading online stock forum for financial discussion and learning, offering a wide range of free tools and resources. It draws in traders of all levels, who exchange market knowledge, investigate trading tactics, and keep an eye on industry developments in real time. Featuring financial articles, stock message boards, quotes, charts, company profiles, and live news updates. Through cooperative learning and a wealth of informational resources, it helps users from novices creating their first portfolios to experts honing their techniques. Join Investors Hangout today: https://investorshangout.com/

The content of this article is based on factual, publicly available information and does not represent legal, financial, or investment advice. Investors Hangout does not offer financial advice, and the author is not a licensed financial advisor. Consult a qualified advisor before making any financial or investment decisions based on this article. This article should not be considered advice to purchase, sell, or hold any securities or other investments. If any of the material provided here is inaccurate, please contact us for corrections.