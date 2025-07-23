Chinese state-sponsored threat operations Linen Typhoon, also known as APT27, Emissary Panda, and Bronze Union, and Violet Typhoon, also known as APT31, Judgment Panda, and Bronze Vinewood, as well as the suspected China-based hacking group Storm-2603 have been targeting vulnerable internet-exposed Microsoft SharePoint servers impacted by the flaws, tracked as CVE-2025-53770 and CVE-2025-53771, since earlier this month, reports The Hacker News.
Attacks involving both vulnerabilities which stem from faulty patches for the remote code execution flaw CVE-2025-49704 and the impersonation bug CVE-2025-49706 have allowed malicious actors to circumvent authentication and run remote code to facilitate web shell deployment, subsequently resulting in MachineKey data exfiltration, according to a report from Microsoft. Further analysis of the SharePoint exploit by cybersecurity researcher Rakesh Krishnan revealed Network Utility Process, Crashpad Handler, and GPU Process invocation within Microsoft Edge, indicating sandbox evasion mechanisms. "With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems," said Microsoft, which called for the immediate application of updates and activation of both Microsoft Defender and Antimalware Scan Interface to mitigate potential compromise.
