Federal IT asset managers: Microsoft has released emergency patches for all SharePoint versions, including previously unpatched SharePoint 2016. Chinese nation-state actors continue exploiting CVE-2025-53770 and CVE-2025-53771 in widespread attacks targeting government systems, energy companies, and critical infrastructure.

This update expands on our initial SharePoint CVE-2025-53770 analysis with new threat actor attribution and complete patch availability.

Microsoft has released comprehensive security updates addressing the critical SharePoint vulnerabilities:

• SharePoint Server Subscription Edition: Fixed in build 16.0.18526.20508 (KB5002768)
• SharePoint Server 2019: Fixed in build 16.0.10417.20037 (KB5002754)
• SharePoint Enterprise Server 2016: Now patched in build 16.0.5513.1001 (KB5002760)

These updates address both CVE-2025-53770 and the newly disclosed CVE-2025-53771, providing complete protection against the "ToolShell" attack chain.

Microsoft's threat intelligence team has identified the threat actors responsible for these attacks:

• Linen Typhoon and Violet Typhoon (Chinese nation-state actors)
• Storm-2603 (China-based group deploying Warlock ransomware)

These sophisticated actors have successfully breached US federal and state agencies, energy companies, universities, and international targets across multiple continents.

Recent reporting reveals the attack's devastating scope:

• 50+ confirmed organizational breaches according to Eye Security
• Federal and state government agencies compromised
• Critical infrastructure targets including energy companies
• International victims spanning Europe and Asia

CISA has confirmed that attackers achieved "full access to SharePoint content, including file systems and internal configurations" in successful breaches.

While Microsoft recommends enabling Antimalware Scan Interface (AMSI) as additional protection, Canada's Cyber Centre warns that "AMSI may not consistently offer comprehensive protection against this form of exploitation, as threat actors frequently adapt their methods to evade detection."

Organizations cannot rely solely on AMSI—immediate patching remains essential.

• Apply security updates immediately to all SharePoint servers
• Rotate SharePoint ASP.NET machine keys and restart IIS services
• Conduct compromise assessments, especially for internet-facing SharePoint instances
• Monitor for indicators of compromise including the creation of spinstall0.aspx files

Microsoft provides comprehensive threat hunting guidance in their SharePoint vulnerability blog, including Advanced Hunting queries for Microsoft 365 Defender customers.

The ongoing nature of these attacks and the sophistication of the threat actors involved make this one of the most serious SharePoint vulnerabilities to date. Federal agencies and critical infrastructure operators must treat this as a top-priority security incident requiring immediate remediation.

Need expert SharePoint vulnerability assessment and emergency IT asset management support? Contact The SIE Group for federal-focused cybersecurity solutions.