Microsoft said Wednesday it has released new security updates for all supported versions of its on-premises SharePoint Server software after detecting active attacks exploiting several vulnerabilities.
The company urged customers to apply the updates immediately to protect their systems.
Microsoft said in a blog post that the vulnerabilities are being used by three China-based threat groups.
Two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, have been seen targeting internet-facing SharePoint servers. A third group, tracked as Storm-2603, is using the flaws to deploy ransomware.
Investigations into other groups using the same exploits are ongoing.
The Microsoft Security Response Center first reported the issue on July 19, warning of active exploitation of two vulnerabilities, a spoofing flaw and a remote code execution issue. These affect only on-premises SharePoint servers and do not impact SharePoint Online in Microsoft 365.
The company has updated its analysis based on continued monitoring. The latest blog post includes new information on attribution, indicators of compromise, detection methods, and protection steps. Microsoft emphasized the need to restart Internet Information Services (IIS) after patching.
The security updates also address two newly disclosed vulnerabilities which are related to the earlier flaws.
Microsoft recommends that customers use supported SharePoint versions with the latest security updates, enable Antimalware Scan Interface (AMSI) in Full Mode, rotate ASP.NET machine keys, and use Microsoft Defender Antivirus or a similar product. The company also advises deploying Microsoft Defender for Endpoint or an equivalent tool to protect all on-premises SharePoint systems.
