Microsoft says China-based hackers exploiting critical SharePoint vulnerabilities to deploy Warlock ransomware — three China-affiliated threat actors seen taking advantage
The company has attributed these attacks to a group it calls Storm-2603.
Nathaniel Mott
Microsoft reports that China-linked groups, including Storm-2603, Linen Typhoon, and Violet Typhoon, have exploited critical vulnerabilities (CVE‑2025‑49704, 49706, 53770, and 53771) in on-premises SharePoint servers to deploy Warlock and LockBit ransomware.
Stealth attack on Microsoft servers turns ugly as ransomware strikes 400+ victims without even needing a login
Hackers switch from spying to ransom demands
Efosa Udinmwen
The "ToolShell" exploit chain began to be used maliciously in connection with critical SharePoint vulnerabilities (such as CVE-2025-53770 and 53771). These vulnerabilities allow unauthorized remote code execution and can be exploited remotely through internet-exposed servers. According to cybersecurity firm Eye Security, more than 400 systems have been affected and over 9,000 services are at risk. Targeted sectors include government, healthcare, finance, and education. Microsoft issued a high-severity alert and recommended that users apply security updates and take additional mitigation steps.
Customer guidance for SharePoint vulnerability CVE-2025-53770 | MSRC Blog | Microsoft Security Response Center
Customer guidance for SharePoint vulnerability CVE-2025-53770
MSRC
In Microsoft's official MSRC blog, in a guide published on 19 July 2025, the company announced the release of updates for supported versions of SharePoint to address the vulnerabilities CVE‑2025‑53770 and CVE‑2025‑53771. Organizations should apply the patches, rotate the machine key, restart AMSI integration, and reboot the server.
Discussion