Microsoft reports that Chinese threat actors have been exploiting SharePoint zero-day vulnerabilities, specifically ToolShell, since July 7, much earlier than previously believed. The attackers targeted high-value organizations using CVEs CVE-2025-49706 and CVE-2025-49704, with ongoing exploitation by nation-state actors such as Linen Typhoon and Violet Typhoon. #ToolShell #LinenTyphoon #VioletTyphoon #SharePointVulnerabilities
Keypoints
- Chinese threat actors began exploiting SharePoint zero-days as early as July 7.
- The exploits target vulnerabilities CVE-2025-49706 and CVE-2025-49704, leading to remote code execution and authentication bypass.
- Nation-state groups Linen Typhoon, Violet Typhoon, and Storm-2603 are involved in these attacks.
- Microsoft has released patches for the vulnerabilities, but exploitation continues, highlighting ongoing risks.
- Mitigations like AMSI may not fully prevent exploitation, emphasizing the importance of applying patches promptly.