Microsoft has issued urgent warnings regarding the active exploitation of critical SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-53771 by multiple threat actors, including the China-based Storm-2603 group, which is deploying Warlock ransomware in compromised environments.
The vulnerabilities affect SharePoint Server 2016, 2019, and Subscription Edition versions, with exploitation attempts observed as early as July 7, 2025.
Key Conclusions
1. SharePoint zero-days CVE-2025-53770/53771 have been used to deploy web shells since July.
2. Storm-2603, Linen/Violet Typhoon are spreading Warlock ransomware.
3. Apply updates, enable AMSI, rotate keys, and restart IIS.
Critical SharePoint Flaws Under Exploitation
The attack chain begins with the exploitation of CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution flaw affecting internet-facing SharePoint servers.
Threat actors conduct reconnaissance via POST requests to the ToolPane endpoint, followed by the deployment of malicious web shells named spinstall0.aspx and variants like spinstall1.aspx and spinstall2.aspx.
The web shell contains commands to retrieve ASP.NET MachineKey data, allowing attackers to steal cryptographic keys essential for session management and authentication.
Microsoft has identified the SHA-256 hash [92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514] associated with the primary spinstall0.aspx payload.
Post-exploitation activities include abusing the w3wp.exe process that backs SharePoint, with attackers using cmd.exe and services.exe to disable Microsoft Defender protections through direct registry modifications.
Warlock Ransomware from China
Three main threat actors have been identified exploiting these vulnerabilities: Linen Typhoon and Violet Typhoon, both established Chinese state-backed groups, and Storm-2603, which has escalated attacks to include ransomware deployment.
Storm-2603 establishes persistence through multiple mechanisms, including scheduled tasks and manipulating Internet Information Services (IIS) components to load suspicious .NET assemblies.
The group performs credential access using Mimikatz to target Local Security Authority Subsystem Service (LSASS) memory, extracting plaintext credentials for lateral movement via PsExec and the Impacket toolkit.
Command and control infrastructure includes domains such as update.updatemicfosoft.com and IP addresses 65.38.121.198 and 131.226.2.6.
The attack culminates in the modification of Group Policy Objects (GPO) to distribute Warlock ransomware across compromised networks.
Microsoft has released comprehensive security updates and strongly recommends immediate patching, enabling Antimalware Scan Interface (AMSI) in full mode, and rotating the SharePoint server's ASP.NET machine keys, followed by an IIS restart using iisreset.exe.