Microsoft Confirms Chinese Threat Groups Exploited SharePoint Server Vulnerabilities

Microsoft has confirmed that Chinese state-backed hacking groups exploited critical flaws in on-premises SharePoint servers. The company published a detailed security blog on July 19 highlighting how attackers used CVE-2025-49704 and CVE-2025-49706. These vulnerabilities do not affect SharePoint Online in Microsoft 365.

Three Chinese-affiliated groups, Linen Typhoon, Violet Typhoon, and Storm-2603, have been linked to live exploitation. Targets include internet-exposed SharePoint servers without the latest updates.

Microsoft has released patches for SharePoint Server Subscription Edition, 2016 (1, 2) and 2019 (1, 2). These updates also address related issues CVE-2025-53770 and CVE-2025-53771.

Security teams are urged to install these updates immediately. Microsoft warns that more actors may soon weaponize the flaws. Along with patching, organizations should rotate ASP.NET machine keys and restart IIS. Microsoft also recommends enabling AMSI in Full Mode and using Defender Antivirus or similar protection.

The company said Defender for Endpoint can help detect follow-on activity tied to these exploits. While investigations continue, Microsoft is tracking more groups that may be testing or using these vulnerabilities.

So far, only on-prem SharePoint systems are affected. Cloud-based SharePoint Online remains secure. Given the rapid adoption of these exploits by multiple actors, Microsoft stresses the urgency of applying fixes. Moreover, IT admins managing on-prem environments should act quickly to avoid becoming the next target.