A critical vulnerability in Microsoft SharePoint servers has been widely exploited by hackers.
More than 400 organizations have already been hit by a ransomware attack on SharePoint servers, including the U.S. Department of Energy and National Nuclear Security Administration (NNSA), responsible for managing U.S. nuclear weapons.
Storm-2603 Spreads Ransomware via SharePoint Vulnerability
Security company Redmond confirmed on Wednesday that the group Storm-2603 is actively exploiting recently patched vulnerabilities in SharePoint. The group installs ransomware after gaining access through vulnerabilities CVE-2025-49704 (remote code execution) and CVE-2025-49706 (spoofing).
read also
Ransomware Attack Affects more than 400 SharePoint Servers
Storm-2603 then executes system command “s such as whoami, disables Microsoft Defender by modifying the registry, and installs persistence via webshells and .NET assemblies. This allows for password theft and lateral movement within the network. The ransomware is eventually deployed via customized Group Policy Objects (GPO” s).
Vulnerability Affects Critical Sectors
The vulnerabilities affect SharePoint Enterprise Server 2016, Server 2019, and the Subscription Edition. Microsoft released patches on Monday after the exploits were made public earlier that weekend. According to security company Eye Security, the attacks began on July 17 and occurred in multiple waves.
read also
Microsoft Accuses Chinese Hackers of Exploiting SharePoint Bug
Check Point Research reports that other governments, telecom companies, and software providers are also affected. Microsoft states that in addition to Storm-2603, two Chinese state groups are responsible: Linen Typhoon (APT27) and Violet Typhoon (APT31). Although Storm-2603 is reportedly Chinese, it is not linked to the Chinese state.
Exploits Available Online
Finally, Microsoft warns that multiple proof-of-concept exploits are available, including new bugs (CVE-2025-53770 and CVE-2025-53771) that can be exploited in combination with previously discovered vulnerabilities. Companies that have not yet applied security updates are at serious risk according to Microsoft. “Other actors will continue to use these exploits to attack unprotected SharePoint servers,” Redmond stated in The Register.