Unpatched on-premises Microsoft SharePoint servers have become prime targets for sophisticated cybercriminals who exploit known vulnerabilities to infiltrate networks, deploy ransomware, and establish persistent backdoors. These attacks are not random but are part of calculated, multi-stage campaigns designed to maintain long-term access within compromised systems.
One prominent threat group, identified as Storm-2603, has been actively targeting vulnerable SharePoint servers since mid-2025. By leveraging publicly disclosed vulnerabilities such as CVE-2025-49706 and CVE-2025-49704, they gain initial access to these systems. Additionally, evidence suggests that they have exploited CVE-2025-11371, an unauthenticated local file inclusion flaw, to access sensitive system files and further penetrate the victim’s environment.
Investigations by Microsoft’s Detection and Response Team (DART) have revealed the complexity of these attacks. Notably, in some instances, two distinct threat actors have operated simultaneously within the same environment, each masking the other’s activities. This parallel operation complicates detection and response efforts, as correlating data across identities, endpoints, and cloud activities is necessary to fully understand the attack chain.
Once inside the network, Storm-2603 employs various tools and techniques to establish and maintain control. They deploy Velociraptor, a legitimate forensic tool, with elevated system privileges to map the environment and collect data. To ensure persistent access, they create multiple remote access channels using Cloudflare tunnels, Zoho Assist for remote management, and Visual Studio Code to establish SSH-based command-and-control connections.
To further solidify their presence, the attackers create new local and domain administrator accounts, granting themselves ongoing access. They also utilize a technique known as Bring Your Own Vulnerable Driver (BYOVD) by loading a vulnerable driver called NSecKrnl.sys. This approach allows them to gain deep kernel-level access, enabling them to tamper with system memory and disable endpoint protection tools without triggering alerts.
In some cases, a second, unidentified threat actor has been observed within the same compromised environment. This actor employs malicious DLL sideloading and custom backdoors, differing from Storm-2603’s known methods. They have been found exfiltrating the NTDS.dit file, which contains all Active Directory credentials, by creating an archive named NTDS.zip.
These incidents underscore a growing trend where ransomware attacks are merely the visible component of more intricate compromises. Organizations running older, unpatched versions of SharePoint on-premises are particularly vulnerable. The urgency to address these vulnerabilities is critical, as the window to act is narrowing.
To mitigate these threats, organizations should promptly apply available patches to their SharePoint servers, monitor for signs of unauthorized access, and implement robust security measures to detect and prevent such sophisticated attacks. Regularly updating and patching software, conducting thorough security assessments, and educating staff on cybersecurity best practices are essential steps in safeguarding against these evolving threats.
As cyber threats continue to evolve, staying vigilant and proactive in addressing vulnerabilities is paramount. The exploitation of unpatched SharePoint servers serves as a stark reminder of the importance of timely updates and comprehensive security strategies in protecting organizational assets.
