The story surrounding the zero-day in Microsoft SharePoint continues to unfold. It is now clear that ransomware attacks have also been carried out.
As previously reported, Chinese state actors, or at least hackers with ties to the Chinese government, appear to be behind the attacks. The attacks specifically target unpatched systems and use Warlock ransomware, among other things. Microsoft stated this in a blog post.
On July 19, the Microsoft Security Response Center published an analysis of active attacks exploiting two recently discovered vulnerabilities: CVE-2025-49706 (spoofing) and CVE-2025-49704 (remote code execution). Both vulnerabilities only affect local SharePoint installations and do not pose a risk to SharePoint Online in Microsoft 365. Nevertheless, the severity is significant, especially given the involvement of state actors.
Microsoft has released security updates for all supported versions of SharePoint Server, including the Subscription Edition, 2019, and 2016. The updates address not only the vulnerabilities mentioned above, but also related issues: CVE-2025-53770 and CVE-2025-53771.
Three Chinese threat groups
Of particular concern is the involvement of three Chinese threat groups. Linen Typhoon and Violet Typhoon are actively observed targeting systems accessible via the internet. A third actor, Storm-2603, is using the same vulnerabilities to install ransomware. Microsoft warns that the speed with which these exploits are being adopted indicates wider adoption by other malicious parties.
To address this threat, Microsoft strongly advises organizations to update their systems, enable AMSI in full mode, enable Defender Antivirus, rotate ASP.NET machine keys, and restart IIS. The use of endpoint detection solutions such as Microsoft Defender for Endpoint is also recommended.
Read also: Microsoft SharePoint zero-day: what do we know and where did it go wrong?