Microsoft Discloses Chinese Hackers Exploiting SharePoint Servers to Target Corporations and Governments

Chinese hackers exploited vulnerabilities in Microsoft's SharePoint document software servers to target major corporations and government agencies. The attack linked to groups Linen Typhoon and Violet Typhoon, and Microsoft has released new security updates to address the incident. Firms not installing the updates are at risk of being targeted. The US agency responsible for nuclear weapons and national governments in Europe and the Middle East were also affected.

Microsoft has issued a critical security alert following the discovery of multiple China-linked hacking groups exploiting a newly discovered vulnerability in its SharePoint software. The flaw, designated CVE-2025-53770, is a zero-day vulnerability that was actively being exploited before Microsoft could develop and distribute a fix [1].

The exploit allows attackers to steal private security keys and remotely install malware on self-hosted versions of SharePoint, potentially compromising entire corporate networks. At least three advanced persistent threat (APT) groups believed to be backed by the Chinese government have been exploiting the flaw since as early as July 7. These groups include Linen Typhoon, focused on stealing intellectual property from corporations; Violet Typhoon, known for espionage operations and data theft; and Storm-2603, a lesser-known group with ties to past ransomware campaigns [1].

Microsoft warned that organizations running self-hosted SharePoint servers should assume breach and initiate comprehensive forensic investigations. The company has released security updates that fully protect customers using all supported versions of SharePoint affected by CVE-2025-53770 and CVE-2025-53771, urging users to apply the updates immediately [1].

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that thousands of organizations, including government agencies, energy firms, universities, and enterprises, may be at risk of significant breaches due to the SharePoint flaw [1].

This is not the first time hackers linked to China have been accused of attacks. In 2021, hackers backed by China were accused of targeting self-hosted Microsoft Exchange email servers as part of a mass-hacking campaign [1]. However, the Chinese government has long rebuffed allegations that it has carried out cyberattacks, though it has not always explicitly denied its involvement [1].

Microsoft has also released comprehensive security updates for all supported versions of SharePoint Server, including the Subscription Edition, 2019, and 2016, to address the newly disclosed security vulnerabilities CVE-2025-49706 and CVE-2025-49704 [2]. The company observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities, along with another China-based threat actor, Storm-2603 [2].

To protect against these vulnerabilities, Microsoft recommends that customers use supported versions of on-premises SharePoint servers with the latest security updates. Additionally, customers should integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus for all on-premises SharePoint deployments and configure AMSI to enable Full Mode for optimal protection [2].

Organizations not installing the updates are at risk of being targeted by these sophisticated threat actors. The US agency responsible for nuclear weapons and national governments in Europe and the Middle East were also affected by the attacks [1].

References:

[1] https://nairametrics.com/2025/07/22/microsoft-raises-alarm-as-china-backed-hackers-exploit-sharepoint-flaw-in-global-cyberattack/
[2] https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/