Close Menu
Cybercrime and Ransomware

Hackers Exploit Unpatched SharePoint Servers to Deploy Ransomware and Backdoors

Staff WriterBy No Comments4 Mins Read1 Views

Fast Facts

  1. Unpatched on-premises SharePoint servers are prime targets for sophisticated threat actors like Storm-2603, exploiting known vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-11371) to gain initial access and probe systems.
  2. Attackers establish long-term persistent access by deploying tools like Velociraptor, creating backdoors, elevating privileges, and using vulnerable drivers (e.g., NSecKrnl.sys) to disable security defenses.
  3. Multiple threat actors can operate simultaneously within the same environment, masking each other and creating complex attack chains that are difficult for defenders to unravel without correlated, multidisciplinary data analysis.
  4. Organizations must urgently patch vulnerable systems, enforce strict identity controls, monitor for suspicious activity, and develop robust incident response plans to defend against such advanced, multi-stage cyber campaigns.

What’s the Problem?

Recently, unpatched on-premises SharePoint servers have become prime targets for advanced threat groups, notably Storm-2603. Since mid-2025, this group exploited known vulnerabilities, such as CVE-2025-49706 and CVE-2025-49704, to infiltrate networks. They used a combination of techniques, including probing for weaknesses like CVE-2025-11371, a local file inclusion flaw, to deepen their access. Once inside, Storm-2603 installed tools like Velociraptor for reconnaissance and created multiple backdoor channels through Cloudflare tunnels and remote management software. They also deployed a vulnerable driver, NSecKrnl.sys, to gain kernel-level privileges and disable security defenses. Compounding the threat, a second malicious actor inserted custom backdoors and stole sensitive credentials by exfiltrating the NTDS.dit file, which contains Active Directory passwords. Microsoft’s Defense and Response Team (DART) uncovered these complex, parallel intrusions after analyzing varied data sources. They reported that these attacks are designed to remain inside networks stealthily, often over long durations, making defenses challenging. This incident underscores the urgency for organizations—particularly those with outdated SharePoint systems—to prioritize patching, strengthen access controls, and enhance monitoring to prevent similar breaches.

What’s at Stake?

If your business relies on SharePoint servers that haven’t been patched, you are vulnerable to hackers exploiting these weaknesses. Such exploits can lead to ransomware attacks, locking your data and halting operations. Additionally, cybercriminals may install custom backdoors, giving them prolonged access to your systems. Consequently, your business faces data loss, financial damage, and reputational harm. Without proper security updates, these risks increase dramatically, making your company an easy target. Therefore, timely patching and security practices are essential to protect your assets and ensure continuity.

Possible Next Steps

Ensuring swift action against vulnerabilities such as unpatched SharePoint servers is critical to safeguarding organizational data and maintaining operational integrity. Delays in remediation can allow cybercriminals to exploit weaknesses, leading to severe consequences like data breaches, financial loss, and reputational damage.

Assess & Identify
Conduct a thorough vulnerability assessment of SharePoint environments to detect unpatched or outdated systems.

Apply Patches
Implement immediate updates and security patches provided by vendors to close known vulnerabilities.

Isolate Systems
Segment SharePoint servers from critical networks to limit potential attack surfaces and contain breaches.

Enhance Detection
Deploy advanced monitoring tools to identify suspicious activities indicative of ransomware or backdoor access attempts.

Implement Access Controls
Enforce strict user access policies, multi-factor authentication, and least privilege principles to minimize unauthorized access risks.

Backup Data
Regularly perform secure, offline backups of SharePoint data to facilitate rapid recovery without paying ransom.

Develop Response Plan
Establish and routinely update an incident response plan specifically addressing ransomware and backdoor threats.

User Training
Educate staff on cybersecurity best practices and phishing awareness to prevent initial infiltration.

Stay Ahead in Cybersecurity

Stay informed on the latest Threat Intelligence and Cyberattacks.

Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.