A newly discovered vulnerability in Microsoft SharePoint is under active attack — and Chinese hackers are being blamed.
What’s Going On?
Security teams at Google and Microsoft have both confirmed that state-backed hacking groups from China are actively exploiting a serious zero-day vulnerability in SharePoint.
The bug, officially listed as CVE-2025-53770, was found just last weekend. But according to both companies, attackers have already been using it in the wild since at least July 7.
What Makes This Bug So Serious?
SharePoint is widely used by businesses, governments, and other organizations to store internal documents and files. Many companies run self-hosted versions of SharePoint — and that’s exactly where this bug strikes.
Once attackers exploit this vulnerability, they can:
- Steal sensitive encryption keys
- Install malware remotely
- Gain access to private files and systems
- Move across other systems on the same network
In other words, it gives hackers a dangerous level of access.
Who’s Behind the Attacks?
Microsoft has named three China-linked hacker groups involved in the campaign:
- Linen Typhoon – Known for stealing intellectual property.
- Violet Typhoon – Focuses on gathering data for espionage.
- Storm-2603 – A lesser-known group, previously linked to ransomware activity.
Google’s Mandiant unit also weighed in. Charles Carmakal, the CTO of Mandiant, confirmed that at least one of the groups has strong ties to China. He added that multiple hacking teams are now exploiting the bug.
How Bad Is It?
Dozens of organizations have already been hacked, according to reports. The affected include companies across multiple sectors — even some government entities.
Because this vulnerability was being used before Microsoft could patch it, it’s classified as a zero-day — meaning there was zero time to prepare before attacks started.
Microsoft has now released security updates to patch the flaw. But experts warn that anyone using a self-hosted SharePoint server should assume they’ve been breached and take steps immediately.
Microsoft and Google Urge Immediate Action
Both tech giants are urging customers to:
- Patch SharePoint systems right away
- Run security scans for signs of compromise
- Check for suspicious behavior across their networks
If your organization hosts its own SharePoint instance and hasn’t patched it yet, you’re likely vulnerable.
China Denies Responsibility
When contacted for comment, China’s Embassy in Washington, D.C., responded by saying:
“China firmly opposes and combats all forms of cyberattacks and cybercrime — a position that is consistent and clear.”
However, this isn’t the first time China-backed hackers have targeted Microsoft tools. In 2021, a group dubbed Hafnium was linked to a mass hacking campaign that broke into over 60,000 Microsoft Exchange email servers worldwide.
That campaign exposed private mailboxes and sensitive contact data from governments, schools, and private businesses.
Key Takeaways
- A critical SharePoint bug (CVE-2025-53770) is being actively exploited.
- China-backed hacker groups are targeting self-hosted servers.
- The attack can steal data, plant malware, and spread across systems.
- Microsoft has released patches, but many systems may already be compromised.
- If you run SharePoint in-house, update now and check for intrusions.
Final Thoughts
This incident is a strong reminder that zero-day threats are real, fast-moving, and often state-sponsored. As geopolitical tensions rise, so do cyberattacks — especially against software systems used by governments and enterprises.
Make sure your IT teams are alert, your systems are patched, and your network is monitored.
