Chinese state actors, possibly hackers linked to the government, are exploiting a zero-day vulnerability in Microsoft SharePoint, specifically targeting unpatched systems with Warlock ransomware. Microsoft released a blog post stating that two significant vulnerabilities, CVE-2025-49706 and CVE-2025-49704, were discovered, affecting only local SharePoint installations, not SharePoint Online. Security updates have been made available for various versions of SharePoint Server. Additionally, three Chinese threat groups, including Linen Typhoon and Storm-2603, are actively targeting systems, prompting Microsoft to recommend urgent security measures to mitigate the threat.
Microsoft stated in a blog post that ransomware attacks have been carried out by hackers with ties to the Chinese government, specifically targeting unpatched SharePoint systems.
Microsoft released security updates for SharePoint Server addressing vulnerabilities CVE-2025-49706 and CVE-2025-49704, affecting local installations and not SharePoint Online.
The involvement of three Chinese threat groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, is concerning, especially with their adoption of the same vulnerabilities for ransomware.
Microsoft recommends organizations update their systems, enable AMSI, use Defender Antivirus, rotate ASP.NET machine keys, restart IIS, and utilize endpoint detection solutions.
Collection
[
|
...
]