{"id":4109,"date":"2025-07-24T11:04:51","date_gmt":"2025-07-24T11:04:51","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4109"},"modified":"2025-07-24T11:04:51","modified_gmt":"2025-07-24T11:04:51","slug":"microsofts-incomplete-sharepoint-patch-led-to-global-exploits-by-china-linked-hackers","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4109","title":{"rendered":"Microsoft\u2019s incomplete SharePoint patch led to global exploits by China-linked hackers"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A July 8 patch for the <a href=\"https:\/\/www.csoonline.com\/article\/4025691\/microsoft-sharepoint-zero-day-breach-hits-on-prem-servers.html\">SharePoint Server zero-day flaw<\/a>, which resulted in a global attack on nearly 100 organizations over the weekend starting July 18, had failed to fully patch the flaw.<\/p>\n<p>The flaw was brought to Microsoft\u2019s notice in May during a hacker competition and was shortly addressed with an incomplete patch by the company before it was actively exploited in the wild.<\/p>\n<p>\u201cIn today\u2019s landscape, where attackers can reverse patch within hours, the time between disclosure and full remediation is a critical window,\u201d said <a href=\"https:\/\/www.linkedin.com\/in\/shane-barney-69026528\/\" target=\"_blank\" rel=\"noopener\">Shane Barney<\/a>, CISO, Keeper Security. \u201cIt\u2019s essential that vendors continue investing in pre-release testing, use of memory-safe languages, and modern engineering practices that reduce the risk of partial or ineffective fixes.\u201d<\/p>\n<p>Both Microsoft and Google now attribute the attacks to China-aligned threat actors, raising fresh alarms about security risks tied to on-prem SharePoint deployments.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>A fix that didn\u2019t stick<\/h2>\n<p>The initial patch, released shortly after the zero-day surfaced during a <a href=\"https:\/\/www.zerodayinitiative.com\/blog\/2025\/2\/24\/announcing-pwn2own-berlin-2025\" target=\"_blank\" rel=\"noopener\">Berlin hacker competition<\/a>, was insufficient to prevent active exploits, according to Reuters, which reviewed <a href=\"https:\/\/www.reuters.com\/sustainability\/boards-policy-regulation\/microsoft-knew-sharepoint-security-flaw-failed-effectively-patch-it-timeline-2025-07-22\/\" target=\"_blank\" rel=\"noopener\">Microsoft\u2019s timeline<\/a> and confirmed a spokesperson admitted the fix didn\u2019t fully work. Sophos <a href=\"https:\/\/news.sophos.com\/en-us\/2025\/07\/21\/sharepoint-toolshell-vulnerabilities-being-exploited-in-the-wild\/\" target=\"_blank\" rel=\"noopener\">reported<\/a> that threat actors bypassed the update almost immediately, leading to a rapid compromise of exposed SharePoint servers.<\/p>\n<p>\u201cMicrosoft\u2019s incomplete SharePoint fix is not an isolated misstep,\u201d said <a href=\"https:\/\/www.linkedin.com\/in\/mayureshdani\/\" target=\"_blank\" rel=\"noopener\">Mayuresh Dani<\/a>, Security Research Manager at Qualys. \u201cPatch gaps and failed first-round patches remain common. They allow bugs to be chained with phishing footholds for full compromise, or cause system instability-prompting some admins to delay patching, which prolongs exposure.\u201d<\/p>\n<p>Microsoft subsequently issued a second set of patches that addressed the remaining flaws. However, the rapid timeline from disclosure to exploitation exposed ongoing weaknesses in the vulnerability-to-patch pipeline.<\/p>\n<p>According to a Microsoft <a href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\" target=\"_blank\" rel=\"noopener\">advisory<\/a>, the company initially patched the vulnerabilities, tracked as CVE-2025-49704 and CVE-2025-49706, on July 8, following their disclosure at the May hacker competition. The fix was incomplete, and attackers exploited the same code path. Microsoft later released a second set of patches to fully address the zero-day vulnerability, now tracked as CVE-2025-53770 and CVE-2025-53771.<\/p>\n<p>\u201cSoftware is complex and highly interconnected \u2013 attack surfaces are not always fully understood,\u201d said <a href=\"https:\/\/www.linkedin.com\/in\/treyford\/\" target=\"_blank\" rel=\"noopener\">Trey Ford<\/a>, CISO at BugCrowd. \u201cThat\u2019s why fixes often require iteration to comprehensively address the issue.\u201d<\/p>\n<h2 class=\"wp-block-heading\">China-linked hackers are exploiting the gap<\/h2>\n<p>A <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/\" target=\"_blank\" rel=\"noopener\">Microsoft blog<\/a> identifies the Chinese-affiliated groups \u201cLinen Typhoon\u201d (APT27) and \u201cViolet Typhoon\u201d (APT31), along with a third suspected state-sponsored actor dubbed Storm-2603, as the likely exploiters of the zero-day.<\/p>\n<p>Google\u2019s Mandiant CTO, Charles Carmakal, labeled at least <a href=\"https:\/\/www.washingtonpost.com\/technology\/2025\/07\/21\/china-hackers-microsoft-sharepoint\/\" target=\"_blank\" rel=\"noopener\">one actor as \u201cChina-nexus<\/a>,\u201d suggesting espionage motivations.<\/p>\n<p>According to Dani, the shift toward collaboration platforms like SharePoint is no coincidence. \u201cSharePoint acts as a one-stop shop for sensitive documents, source code, HR, and legal content,\u201d he said. \u201cThreat groups have shifted from edge appliances to internal collaboration platforms because those systems deliver both sensitive data and privileged network access.\u201d<\/p>\n<p>The exploit, nicknamed ToolShell, enables remote code execution, key theft, and malware installation on on-prem servers. The US CISA has added CVE-2025-53770 to its known exploited vulnerabilities catalog, urging immediate remediation. Barney warned that state-backed actors are now embedding into business workflows. \u201cThey want access to the crown jewels. These platforms house far more than PII\u2013strategic plans, source code, and internal communications. It\u2019s not just about exfiltration anymore, but deep persistent access.\u201d<\/p>\n<p>More Microsoft security news:<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/4026022\/microsoft-digital-escorts-reveal-crucial-us-counterintelligence-blind-spot.html\">Microsoft \u2018digital escorts\u2019 reveal crucial US counterintelligence blind spot<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/4025920\/uk-blames-russias-infamous-fancy-bear-group-for-microsoft-cloud-hacks.html\">UK blames Russia\u2019s infamous \u2018Fancy Bear\u2019 group for Microsoft cloud hacks<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/4014241\/microsoft-hints-at-revoking-access-to-the-windows-kernel-eventually.html\">Microsoft hints at revoking access to the Windows kernel \u2014 eventually<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A July 8 patch for the SharePoint Server zero-day flaw, which resulted in a global attack on nearly 100 organizations over the weekend starting July 18, had failed to fully patch the flaw. The flaw was brought to Microsoft\u2019s notice in May during a hacker competition and was shortly addressed with an incomplete patch by [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4094,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4109","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4109"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4109"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4109\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4094"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}