news 2025.10.27

SharePoint Under Massive Cyber Attack — Chained Exploits Grant Full Server Control

Share:

A widespread cyber campaign is targeting Microsoft SharePoint, impacting more than 400 organizations globally — including the U.S. Department of Energy, European and Middle Eastern government agencies, and several multinational enterprises.

 

According to the Akamai Threat Research Team, attackers are leveraging two critical vulnerabilities in a chained exploit, allowing them to fully compromise SharePoint servers, move laterally across internal networks, and exfiltrate sensitive data.

 

Attack Overview

 

Akamai’s analysis reveals that threat actors are combining:

  • CVE-2023-29357 – Authentication Bypass
  • CVE-2023-24955 – Remote Code Execution

 

When chained, these vulnerabilities enable adversaries to:

Gain unauthorized access to SharePoint environments

Execute arbitrary code and deploy backdoors

Establish C2 communication channels

Move laterally within corporate networks

 

Akamai has observed ongoing campaigns originating mainly from Asia and Eastern Europe, with some exhibiting modular and highly organized behavior.

 

 

Threat Actors Behind the Campaign

 

Both Microsoft and Google Threat Intelligence teams have attributed these attacks to Chinese state-sponsored groups, including:

  • Linen Typhoon
  • Violet Typhoon
  • Storm-2603

 

The campaign demonstrates strategic targeting and sophisticated coordination, suggesting a well-planned, long-term operation.

 

 

Mitigation and Recommendations

 

Microsoft has released partial updates addressing recent versions of SharePoint, but older editions (2016 and earlier) remain vulnerable.

The U.S. CISA has classified CVE-2025-53770 as a “must-patch” vulnerability, requiring all federal agencies to secure systems within 24 hours.

 

Recommended Actions

  • Patch all SharePoint instances immediately
  • Review internal traffic for signs of lateral movement
  • Implement microsegmentation and DNS-layer security controls