SharePoint Under Massive Cyber Attack — Chained Exploits Grant Full Server Control
A widespread cyber campaign is targeting Microsoft SharePoint, impacting more than 400 organizations globally — including the U.S. Department of Energy, European and Middle Eastern government agencies, and several multinational enterprises.
According to the Akamai Threat Research Team, attackers are leveraging two critical vulnerabilities in a chained exploit, allowing them to fully compromise SharePoint servers, move laterally across internal networks, and exfiltrate sensitive data.
Attack Overview
Akamai’s analysis reveals that threat actors are combining:
- CVE-2023-29357 – Authentication Bypass
- CVE-2023-24955 – Remote Code Execution
When chained, these vulnerabilities enable adversaries to:
Gain unauthorized access to SharePoint environments
Execute arbitrary code and deploy backdoors
Establish C2 communication channels
Move laterally within corporate networks
Akamai has observed ongoing campaigns originating mainly from Asia and Eastern Europe, with some exhibiting modular and highly organized behavior.
Threat Actors Behind the Campaign
Both Microsoft and Google Threat Intelligence teams have attributed these attacks to Chinese state-sponsored groups, including:
- Linen Typhoon
- Violet Typhoon
- Storm-2603
The campaign demonstrates strategic targeting and sophisticated coordination, suggesting a well-planned, long-term operation.
Mitigation and Recommendations
Microsoft has released partial updates addressing recent versions of SharePoint, but older editions (2016 and earlier) remain vulnerable.
The U.S. CISA has classified CVE-2025-53770 as a “must-patch” vulnerability, requiring all federal agencies to secure systems within 24 hours.
Recommended Actions
- Patch all SharePoint instances immediately
- Review internal traffic for signs of lateral movement
- Implement microsegmentation and DNS-layer security controls