Microsoft reported ongoing exploits targeting on-premises SharePoint servers using vulnerabilities CVE-2025-49706 and CVE-2025-49704 by Chinese threat actors including Linen Typhoon, Violet Typhoon, and Storm-2603. Immediate application of Microsoft’s security updates and recommended mitigations such as enabling AMSI and rotating machine keys are critical to protect affected systems. #CVE-2025-49706 #LinenTyphoon #VioletTyphoon #Storm-2603 #spinstall0.aspx
Keypoints
- Microsoft disclosed active attacks against on-premises SharePoint servers exploiting vulnerabilities CVE-2025-49706 (spoofing) and CVE-2025-49704 (remote code execution).
- Security updates have been released for SharePoint Server Subscription Edition, 2019, and 2016 to protect against these and related vulnerabilities CVE-2025-53770 and CVE-2025-53771.
- Chinese nation-state groups Linen Typhoon, Violet Typhoon, and another China-based actor Storm-2603 are observed exploiting these SharePoint vulnerabilities.
- Threat actors upload and use web shells named spinstall0.aspx (and variants) to steal ASP.NET machine keys and maintain persistence.
- Microsoft recommends enabling Antimalware Scan Interface (AMSI) in Full Mode, using Defender Antivirus, rotating machine keys, and deploying Defender for Endpoint for post-exploitation detection.
- Indicators of compromise include web shell file names, PowerShell scripts, IOC IP addresses, and malicious domain URLs linked to the attacks.
- Microsoft Defender XDR and Sentinel offer relevant detections, hunting queries, and coordinated protection coverage across attack phases.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Exploitation of SharePoint vulnerabilities CVE-2025-49704 and CVE-2025-49706 by sending POST requests to ToolPane endpoint (‘…conducting reconnaissance and attempting exploitation of on-premises SharePoint servers through a POST request to the ToolPane endpoint…’).
- [T1059.001] PowerShell – Execution of PowerShell scripts to launch payloads and deploy web shells (‘…PowerShell script execution used to launch payloads…’).
- [T1100] Web Shell – Deployment and use of malicious web shell spinstall0.aspx for persistence and key theft (‘…threat actors send a crafted POST request to the SharePoint server, uploading a malicious script named spinstall0.aspx…’).
- [T1110.001] Brute Force – Observed use of authentication bypass tactics (‘…executed the authentication bypass and remote code execution exploits…’).
- [T1027] Obfuscated Files or Information – Use of encoded PowerShell commands in post-exploitation activities (‘…w3wp.exe is spawning encoded PowerShell involving the spinstall0.aspx file…’).
- [T1078] Valid Accounts – Use of stolen machine keys for maintaining access (‘…commands to retrieve MachineKey data and return the results to the user…’).
Indicators of Compromise
- [File Name] Web shell files – spinstall0.aspx and variants (spinstall.aspx, spinstall1.aspx, spinstall2.aspx) used by attackers to steal machine keys and maintain persistence.
- [File Name] Debug script – debug_dev.js containing web config and MachineKey data.
- [SHA-256 Hash] Malicious script hash – 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 (hash of spinstall0.aspx).
- [URL] Malicious PowerShell delivery – c34718cbb4c6.ngrok-free.app/file.ps1 used as command and control infrastructure.
- [File Path] Web config file locations – 1[5-6]TEMPLATELAYOUTSdebug_dev.js path for stolen configurations.
- [IP Addresses] Exploit sources and post-exploitation activity – 131.226.2.6, 134.199.202.205, 104.238.159.149, 188.130.206.168 observed in attacks.