Patches for Sharepoint Server 2016; China behind attacks, approx. 400 organizations compromised

[German]An addendum to the 0-day vulnerability in Microsoft SharePoint and the observed wave of attacks. Microsoft has also released an emergency update for SharePoint Server 2016. In the meantime, there are reports that some of the attacks came from China via a 0-day exploit. And over 400 organizations have probably been compromised, with the USA and Germany being the most affected. In the meantime, Microsoft has also published a more detailed blog post. Here is a review with a summary.

The 0-day exploit and the attacks

Since July 18, 2025, various security providers such as Sophos etc. have observed increased waves of attacks on Microsoft SharePoint servers that are accessible via the Internet. In addition to an exploit that takes advantage of the vulnerabilities CVE-2025-49704 and CVE-2025-49706 patched on July 8, 2025 (ToolShell exploit), it quickly became clear that there must be something else.

Over the course of Friday and Saturday, it became clear that there must be other unpatched 0-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) that were attacked by an exploit. I had traced the development in the blog post Sharepoint servers are attacked via 0-day vulnerability (CVE-2025-53770).

Around 400 victims, attacks from China

It was already clear on Sunday that around 85 organizations had had their SharePoint servers compromised. Now Reuters writes here hat around 100 organizations had already been compromised over the weekend via their SharePoint instances that were accessible via the Internet. The newest figures says, there are more than 400 victims.

Most of those affected are in the USA and Germany, with government organizations also among the victims. Further follow-up hacks are likely to be imminent and extensive clean-up and security measures will be required.

Notes from Mandiant

I have received information from Mandiant that the vulnerabilities have been and are being attacked by several actors. The security experts at Mandiant's Google subsidiary assume that at least one of the actors responsible for this early exploitation is a threat actor with a Chinese background.

Details from Microsoft

Microsoft published the blog post Disrupting active exploitation of on-premises SharePoint vulnerabilities. It not only addresses the vulnerabilities mentioned above and their exploitation. Microsoft writes that at the time of writing, it had already observed two Chinese actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities in web-accessible SharePoint servers.

In addition, Microsoft security experts have observed another China-based threat actor (Storm-2603) exploiting these vulnerabilities. Investigations into other actors also exploiting these vulnerabilities are ongoing. Given the rapid spread of these vulnerabilities, Microsoft anticipates that threat actors will continue to incorporate them into their attacks on unpatched on-premises SharePoint systems. The Microsoft article contains a great deal of detail, including information on compromise. Administrators should follow the instructions under Mitigation and protection guidance.

Update for SharePoint 2016 also released

Microsoft had documented the vulnerabilities from July 19, 2025 in the Customer guidance for SharePoint vulnerability CVE-2025-53770 and in the CVE posts linked above. On July 20, 2025, Microsoft released security updates for Microsoft SharePoint Server Subscription Edition and Microsoft SharePoint Server 2019. On July 21, 2025, emergency updates for SharePoint 2016 were then released to close the vulnerabilities. Here is the list of all updates: