Microsoft Discloses Chinese Hackers Exploiting SharePoint Servers to Target Corporations and Governments
ByAinvest
Wednesday, Jul 23, 2025 5:54 am ET2min read
MSFT--
The exploit allows attackers to steal private security keys and remotely install malware on self-hosted versions of SharePoint, potentially compromising entire corporate networks. At least three advanced persistent threat (APT) groups believed to be backed by the Chinese government have been exploiting the flaw since as early as July 7. These groups include Linen Typhoon, focused on stealing intellectual property from corporations; Violet Typhoon, known for espionage operations and data theft; and Storm-2603, a lesser-known group with ties to past ransomware campaigns [1].
Microsoft warned that organizations running self-hosted SharePoint servers should assume breach and initiate comprehensive forensic investigations. The company has released security updates that fully protect customers using all supported versions of SharePoint affected by CVE-2025-53770 and CVE-2025-53771, urging users to apply the updates immediately [1].
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that thousands of organizations, including government agencies, energy firms, universities, and enterprises, may be at risk of significant breaches due to the SharePoint flaw [1].
This is not the first time hackers linked to China have been accused of attacks. In 2021, hackers backed by China were accused of targeting self-hosted Microsoft Exchange email servers as part of a mass-hacking campaign [1]. However, the Chinese government has long rebuffed allegations that it has carried out cyberattacks, though it has not always explicitly denied its involvement [1].
Microsoft has also released comprehensive security updates for all supported versions of SharePoint Server, including the Subscription Edition, 2019, and 2016, to address the newly disclosed security vulnerabilities CVE-2025-49706 and CVE-2025-49704 [2]. The company observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities, along with another China-based threat actor, Storm-2603 [2].
To protect against these vulnerabilities, Microsoft recommends that customers use supported versions of on-premises SharePoint servers with the latest security updates. Additionally, customers should integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus for all on-premises SharePoint deployments and configure AMSI to enable Full Mode for optimal protection [2].
Organizations not installing the updates are at risk of being targeted by these sophisticated threat actors. The US agency responsible for nuclear weapons and national governments in Europe and the Middle East were also affected by the attacks [1].
References:
[1] https://nairametrics.com/2025/07/22/microsoft-raises-alarm-as-china-backed-hackers-exploit-sharepoint-flaw-in-global-cyberattack/
[2] https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
Chinese hackers exploited vulnerabilities in Microsoft's SharePoint document software servers to target major corporations and government agencies. The attack linked to groups Linen Typhoon and Violet Typhoon, and Microsoft has released new security updates to address the incident. Firms not installing the updates are at risk of being targeted. The US agency responsible for nuclear weapons and national governments in Europe and the Middle East were also affected.
Microsoft has issued a critical security alert following the discovery of multiple China-linked hacking groups exploiting a newly discovered vulnerability in its SharePoint software. The flaw, designated CVE-2025-53770, is a zero-day vulnerability that was actively being exploited before Microsoft could develop and distribute a fix [1].The exploit allows attackers to steal private security keys and remotely install malware on self-hosted versions of SharePoint, potentially compromising entire corporate networks. At least three advanced persistent threat (APT) groups believed to be backed by the Chinese government have been exploiting the flaw since as early as July 7. These groups include Linen Typhoon, focused on stealing intellectual property from corporations; Violet Typhoon, known for espionage operations and data theft; and Storm-2603, a lesser-known group with ties to past ransomware campaigns [1].
Microsoft warned that organizations running self-hosted SharePoint servers should assume breach and initiate comprehensive forensic investigations. The company has released security updates that fully protect customers using all supported versions of SharePoint affected by CVE-2025-53770 and CVE-2025-53771, urging users to apply the updates immediately [1].
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that thousands of organizations, including government agencies, energy firms, universities, and enterprises, may be at risk of significant breaches due to the SharePoint flaw [1].
This is not the first time hackers linked to China have been accused of attacks. In 2021, hackers backed by China were accused of targeting self-hosted Microsoft Exchange email servers as part of a mass-hacking campaign [1]. However, the Chinese government has long rebuffed allegations that it has carried out cyberattacks, though it has not always explicitly denied its involvement [1].
Microsoft has also released comprehensive security updates for all supported versions of SharePoint Server, including the Subscription Edition, 2019, and 2016, to address the newly disclosed security vulnerabilities CVE-2025-49706 and CVE-2025-49704 [2]. The company observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities, along with another China-based threat actor, Storm-2603 [2].
To protect against these vulnerabilities, Microsoft recommends that customers use supported versions of on-premises SharePoint servers with the latest security updates. Additionally, customers should integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus for all on-premises SharePoint deployments and configure AMSI to enable Full Mode for optimal protection [2].
Organizations not installing the updates are at risk of being targeted by these sophisticated threat actors. The US agency responsible for nuclear weapons and national governments in Europe and the Middle East were also affected by the attacks [1].
References:
[1] https://nairametrics.com/2025/07/22/microsoft-raises-alarm-as-china-backed-hackers-exploit-sharepoint-flaw-in-global-cyberattack/
[2] https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
Stay ahead of the market.
Get curated U.S. market news, insights and key dates delivered to your inbox.
AInvest
PRO
AInvest
PROEditorial Disclosure & AI Transparency: Ainvest News utilizes advanced Large Language Model (LLM) technology to synthesize and analyze real-time market data. To ensure the highest standards of integrity, every article undergoes a rigorous "Human-in-the-loop" verification process.
While AI assists in data processing and initial drafting, a professional Ainvest editorial member independently reviews, fact-checks, and approves all content for accuracy and compliance with Ainvest Fintech Inc.’s editorial standards. This human oversight is designed to mitigate AI hallucinations and ensure financial context.
Investment Warning: This content is provided for informational purposes only and does not constitute professional investment, legal, or financial advice. Markets involve inherent risks. Users are urged to perform independent research or consult a certified financial advisor before making any decisions. Ainvest Fintech Inc. disclaims all liability for actions taken based on this information. Found an error?Report an Issue
Comments
No comments yet