Microsoft Confirms China-Backed APTs Actively Exploiting SharePoint Zero-Days (CVE-2025-53770, -53771)
Microsoft has confirmed that three China-linked threat groups were behind the recent wave of attacks targeting on-premises SharePoint Server installations. According to the company’s report, since early July, the vulnerabilities identified as CVE-2025-53770 and CVE-2025-53771 have been actively exploited by the adversarial groups known as Linen Typhoon (APT27), Violet Typhoon (APT31), and Storm-2603.
All three threat actors targeted internet-exposed servers by circumventing previously issued patches for CVE-2025-49704 and CVE-2025-49706. Their principal method involved sending POST requests to the ToolPane interface, enabling them to bypass authentication and execute arbitrary code. Once access was gained, the attackers deployed web shells such as spinstall.aspx (and its variants), through which they extracted the MachineKey—a critical asset that allows forging legitimate requests and maintaining persistent access even after security updates are applied.
Researchers at Eye Security were the first to disclose targeted intrusions tied to this vulnerability. Their analysis documented the attackers’ use of PowerShell scripts and malicious ASPX files within already compromised environments. These techniques facilitate rapid lateral movement across the network while evading detection.
Further technical insights were provided by researcher Rakesh Krishnan, who detailed how the exploitation chain launches three Microsoft Edge processes—Network Utility, Crashpad Handler, and GPU Process—to emulate the behavior of legitimate software and avoid scrutiny. In addition, the attackers leveraged the Google Client Update Protocol (CUP), which helped disguise malicious traffic as routine browser update requests.
Microsoft emphasizes that simply applying patches is insufficient in the aftermath of compromise. If access has already been obtained, administrators must rotate their ASP.NET MachineKeys, restart the IIS service, enable AMSI in full enforcement mode, and deploy comprehensive threat detection tools such as Microsoft Defender for Endpoint. The company also warns that these exploits may be repurposed by other threat actors and reused against vulnerable systems.
This marks the second major cybersecurity incident in which China has been accused of targeting Microsoft products. A similar scale was observed in 2021 during the infamous ProxyLogon campaign, which saw tens of thousands of Exchange servers breached worldwide—an operation attributed to the threat group Hafnium (Silk Typhoon).
Earlier reports published by SecurityLab highlighted the initial signs of compromise, including the theft of MachineKeys, backdoor installation, and persistence mechanisms that survived patching. Now, Microsoft’s official attribution to Chinese actors and the confirmation of widespread exploit use underscore the severity of the threat.
