Fri Jul 25 06:10:00 UTC 2025: Okay, here’s a news article summarizing and rewriting the provided text:

**Headline: Urgent: Microsoft Warns of Active SharePoint Server Exploits, Ransomware Attacks**

**Redmond, WA – July 23, 2025** – Microsoft is urging customers to immediately apply security updates to on-premises SharePoint servers after observing a surge in exploitation attempts, including ransomware deployment, targeting known vulnerabilities. The attacks leverage CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, to gain initial access to vulnerable systems.

According to a security advisory released today, Microsoft has identified multiple threat actors actively exploiting these flaws. Two Chinese nation-state actors, Linen Typhoon and Violet Typhoon, are reportedly using the vulnerabilities for espionage and intellectual property theft. A third China-based threat actor, tracked as Storm-2603, is actively deploying Warlock ransomware after gaining access through these exploits.

“We assess with high confidence that threat actors will continue to integrate these exploits into their attacks against unpatched on-premises SharePoint systems,” Microsoft warned in its advisory. The company noted that attacks begin with a crafted POST request to the ToolPane endpoint, enabling actors to upload malicious scripts like `spinstall0.aspx` to steal sensitive MachineKey data. The attacker then moves laterally using tools like Mimikatz and PsExec to disable security features and deploy ransomware.

The vulnerabilities affect on-premises SharePoint servers only and do *not* impact SharePoint Online in Microsoft 365. Microsoft has released comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that address the newly disclosed security vulnerabilities in CVE-2025-53770 related to CVE-2025-49704, and the security bypass vulnerability CVE-2025-53771 for the previously disclosed CVE-2025-49706.

Microsoft strongly recommends that customers using on-premises SharePoint servers immediately apply these updates. Additional mitigations include enabling Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) for all on-premises SharePoint deployments, configuring AMSI to enable Full Mode, rotating SharePoint server ASP.NET machine keys, and restarting Internet Information Services (IIS). Customers should also deploy Microsoft Defender for Endpoint or equivalent solutions.

The company has provided Indicators of Compromise (IOCs) and hunting queries to assist organizations in detecting and responding to potential breaches. Microsoft Security Copilot can also be leveraged to investigate and respond to incidents, hunt for threats, and protect organizations with relevant threat intelligence.

Microsoft continues to monitor the situation and will provide updates as the investigation progresses. Customers are encouraged to stay vigilant and prioritize the implementation of security measures to protect against these evolving threats.

Read More