1.0 Introduction
Microsoft released a new guidance and comprehensive security updates to disrupt active exploitation of on premises SharePoint Server vulnerabilities. Adversaries are chaining multiple critical flaws CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771 in targeted attacks against exposed SharePoint servers. Microsoft has observed nation-state groups such as Linen Typhoon, Violet Typhoon, and Storm?2603 actively engaging in these campaigns
2.0 Impact
These vulnerabilities are being actively exploited and will allow unauthenticated attackers to bypass authentication, escalate privileges, and execute arbitrary code. Successful exploitation can lead to full system compromise, including deployment of web shells, theft of cryptographic machine keys, and potential lateral movement across networks.
3.0 Affected Products
- Microsoft SharePoint Server Subscription Edition versions prior to the July 21, 2025 update.
- Microsoft SharePoint Server 2019 versions prior to the July 21, 2025 update.
- Microsoft SharePoint Server 2016 versions prior to the July 21, 2025 update.
4.0 Indicator of Compromise
| Indicator | Type | Description |
|---|---|---|
| Spinstall0.aspx, spinstall.aspx, spinstall1.aspx, spinstall2.aspx | File Name | Web shells used by threat actors |
| IIS_Server_dll.dll | File Name | Storm-2603 IIS Backdoor |
| SharpHostInfo.x64.exe | File Name | Pentest tool used to collect host info via NetBIOS, SMB, WMI |
| xd.exe | File Name | Fast reverse proxy tool used to connect to C2 65.38.121[.]198 |
| debug_dev.js | File Name | File containing web config data, including MachineKey |
| \1[5-6]\TEMPLATE\LAYOUTS\debug_dev.js | File Path | File path for stolen web configs |
| 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 | SHA-256 | Hash of spinstall0.aspx |
| 24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf | SHA-256 | Web shell using http/curl to receive commands from C2 |
| b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0 | SHA-256 | Web shell using sockets & DNS to receive commands from C2 |
| c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94 | SHA-256 | Web shell using sockets & DNS to receive commands from C2 |
| 1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192 | SHA-256 | Web shell using sockets & DNS to receive commands from C2 |
| 4c1750a14915bf2c0b093c2cb59063912dfa039a2adfe6d26d6914804e2ae928 | SHA-256 | Hash for Storm-2603 IIS Backdoor |
| f54ae00a9bae73da001c4d3d690d26ddf5e8e006b5562f936df472ec5e299441 | SHA-256 | Hash for Storm-2603 IIS Backdoor |
| b180ab0a5845ed619939154f67526d2b04d28713fcc1904fbd666275538f431d | SHA-256 | Hash for Storm-2603 IIS Backdoor |
| 6753b840cec65dfba0d7d326ec768bff2495784c60db6a139f51c5e83349ac4d | SHA-256 | Hash for Storm-2603 IIS Backdoor |
| 7ae971e40528d364fa52f3bb5e0660ac25ef63e082e3bbd54f153e27b31eae68 | SHA-256 | Hash for Storm-2603 IIS Backdoor |
| 567cb8c8c8bd0d909870c65b292b57bcb24eb55a8582b884e0a228e298e7443 | SHA-256 | Hash for Storm-2603 IIS Backdoor |
| 445a37279d3a229ed18513e85f0c8d861c6f560e0f914a5869df14a74b679b86 | SHA-256 | Hash for Storm-2603 IIS Backdoor |
| ffbc9dfc284b147e07a430fe9471e66c716a84a1f18976474a54bee82605fa9a | SHA-256 | Hash for Storm-2603 IIS Backdoor |
| 6b273c2179518dacb1218201fd37ee2492a5e1713be907e69bf7ea56ceca53a5 | SHA-256 | Hash for Storm-2603 IIS Backdoor |
| c2c1fec7856e8d49f5d49276e69993837575dbbec99cd702c5be134a85b2c139 | SHA-256 | Hash for Storm-2603 IIS Backdoor |
| 6f6db63ece791c6dc1054f1e1231b5bbcf6c051a49bad0784569271753e24619 | SHA-256 | Hash for Storm-2603 IIS Backdoor |
| d6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d | SHA-256 | Hash for SharpHostInfo.x64.exe |
| 62881359e75c9e8899c4bc9f452ef9743e68ce467f8b3e4398bebacde9550dea | SHA-256 | Hash for xd.exe |
| c34718cbb4c6.ngrok-free[.]app/file.ps1 | URL | Ngrok tunnel delivering PowerShell payload to C2 |
| msupdate[.]updatemicrosoft[.]com | URL | Storm-2603 C2 domain |
| 131.226.2[.]6 | IP | Post-exploitation C2 |
| 134.199.202[.]205 | IP | IP used to exploit SharePoint |
| 104.238.159[.]149 | IP | IP used to exploit SharePoint |
| 188.130.206[.]168 | IP | IP used to exploit SharePoint |
| 65.38.121[.]198 | IP | Storm-2603 post-exploitation C2 |
5.0 MITRE ATT&CK Techniques
| Tactic | Technique ID | Technique Name | Description |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Exploiting internet-facing SharePoint servers via known vulnerabilities. |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell | Web shells executing PowerShell to extract and transmit MachineKey data. |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Batch scripts and cmd.exe used to execute PsExec. | |
| T1569.002 | System Services: Service Execution | Abuse of Windows SCM to disable Defender and launch PsExec. | |
| T1543.003 | Create or Modify System Process: Windows Service | PsExec used with -s argument for SYSTEM-level privileges. | |
| T1047 | Windows Management Instrumentation (WMI) | Impacket used to run commands remotely. | |
| Persistence | T1505.003 | Server Software Component: Web Shell | Web shell installed after exploiting SharePoint. |
| T1505.004 | Server Software Component: IIS Components | Suspicious .NET assembly loaded into IIS worker process. | |
| T1053.005 | Scheduled Task/Job: Scheduled Task | Scheduled task created for maintaining persistence. | |
| Privilege Escalation | T1484.001 | Domain or Tenant Policy Modification: Group Policy Modification | Group Policy used to deploy scripts for ransomware. |
| Defense Evasion | T1620 | Reflective Code Loading | Payloads are reflectively loaded in memory. |
| T1562.001 | Impair Defenses: Disable or Modify Tools | Defender is disabled via registry edits. | |
| T1112 | Modify Registry | Registry changes used to disable Microsoft Defender. | |
| Credential Access | T1003.001 | OS Credential Dumping: LSASS Memory | Mimikatz used to dump credentials with sekurlsa::logonpasswords. |
| Discovery | T1033 | System Owner/User Discovery | whoami commands executed after access and privilege escalation. |
| Lateral Movement | T1570 | Lateral Tool Transfer | Impacket used with WMI to stage and run payloads remotely. |
| Collection | T1119 | Automated Collection | Web shell displays MachineKey and other data. |
| T1005 | Data from Local System | Collection of host and system information by the adversary. | |
| Command & Control | T1090 | Proxy | Fast reverse proxy tool used for C2 communication. |
| Impact | T1486 | Data Encrypted for Impact | Files encrypted in ransomware stage of the attack. |
6.0 Recommendations
CyberSecurity Malaysia encourages users and administrators to review the lates Microsoft’s recommended mitigation steps & security advisory to apply the necessary updates.
Kindly refer to the following URLs for more information:
Microsoft has released security updates addressing CVE-2025-53770 and CVE-2025-53771. Organizations using SharePoint Server are advised to:
- Ensure they are running supported versions (SharePoint Server 2016, 2019, or Subscription Edition).
- Apply the latest security updates immediately.
- Enable and configure AMSI (Antimalware Scan Interface) in Full Mode and deploy Microsoft Defender Antivirus on all SharePoint servers.
- Rotate ASP.NET machine keys and restart IIS after applying updates or enabling AMSI.
- If AMSI cannot be enabled, temporarily disconnect servers from the internet or restrict unauthenticated access using a VPN or authentication gateway.
- Deploy Microsoft Defender for Endpoint or equivalent endpoint detection and response (EDR) solutions to detect and block post-exploitation activity.
- Strengthen overall protection by enabling features such as cloud-delivered protection, LSA protection, Credential Guard, Tamper Protection, Controlled Folder Access, and attack surface reduction rules.
We also recommend staying informed by regularly monitoring the vendor’s official security announcements. Organizations should adopt industry best practices and conduct proper risk assessments to determine which updates are applicable to their environment.
For further enquiries, please contact the Cyber999 Incident Response Team through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web: https://www.cybersecurity.my
7.0 References
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771
- https://www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/