What happened
A fresh zero-day in on-prem Microsoft SharePoint (initially disclosed July 19, 2025) is being exploited by at least three China-aligned actors, Violet Typhoon, Linen Typhoon and the newly named Storm-2603, to drop Warlock and LockBit ransomware. The attackers chain CVE-2025-49704/49706 with two patch bypasses (CVE-2025-53770/53771) to run code without authentication, steal ASP.NET machine keys and pivot deeper into the network, and researchers have counted about 9 000 publicly reachable SharePoint servers that would be vulnerable if left unpatched.
Who’s affected so far
- Department of Homeland Security – CISA has warned “more than a dozen” federal entities after DHS servers were hit.
- National Nuclear Security Administration, parts of the Dept. of Energy and Education Dept. were also breached; no classified data loss confirmed yet.
- Politico reports up to five U.S. agencies and roughly 100 global organizations are now in scope.
Given how widely SharePoint underpins intranets, project sites and file workflows, any self-hosted instance that missed the July cumulative update, or applied it without the post-patch mitigations, should be considered high-risk.
The attack chain in plain English
- Initial access – Malicious HTTP request exploits a deserialization flaw, granting SYSTEM-level Remote Code Execution (RCE).
- Credential & key theft – Attackers dump MachineKey values and NTLM hashes, letting them forge cookies or replay credentials across SharePoint web-front ends.
- Privilege escalation & lateral movement – PowerShell payloads add admin users, open RDP, and harvest tokens.
- Payload delivery – A lightweight loader contacts C2, then detonates Warlock ransomware; some victims see a web-shell for hands-on-keyboard data theft instead.
Business impact
- Operational downtime – Agencies temporarily severed internal portals while integrity checks ran.
- Sensitive data exposure – Meeting minutes, procurement docs and environment diagrams often live on SharePoint, giving nation-state actors a goldmine for future campaigns.
- Patch-lag questions – Lawmakers are asking why critical infrastructure still runs legacy, on-prem SharePoint when cloud tenants were unaffected.
Immediate actions we recommend
- Prioritize patch validation – Confirm July KBs are installed and verify the new CVE-2025-53770/71 mitigations.
- Rotate machine keys & restart IIS after patching, per Microsoft’s guidance.
- Hunt for indicators: web-shells in /layouts/, anomalous w3wp.exe spawn of cmd.exe, outbound traffic to .warlockcrypt[.]ru.
- Deploy or tighten an EDR with AMSI full-mode scanning on each SharePoint server.
- Run an external + internal penetration testing program to validate there are no alternate paths into the farm.
- Launch frequent vulnerability assessments that cover SharePoint, SQL and domain controllers as a single ecosystem.
- Pair technical hardening with recurring social engineering drills. Storm-2603 is known to blend phishing for initial footholds when exploits fail.
- Rehearse an incident with tabletop exercises so legal, PR and exec teams can pull the trigger on backups, comms and insurance without hesitation.
Looking ahead
Microsoft has already barred China-based engineers from DoD projects and is investigating whether an early-access vulnerability disclosure channel tipped off threat actors. Expect tighter vetting of developer NDAs, renewed calls for Software Bill of Materials (SBOMs) in federal procurement, and finally, budget to migrate those aging on-prem farms to M365 GCC High. Meanwhile, security teams can slash risk by enforcing Zero Trust for all internal web apps: conditional access, token-binding, and micro-segmented server VLANs make post-exploit movement dramatically harder.
The SharePoint zero-day storm shows that even “internal-only” collaboration tools are now front-line targets. Harden the perimeter, but verify the inside, because ransomware groups (and nation-states) certainly will.