Microsoft has issued a critical security alert after discovering that multiple China-linked hacking groups are exploiting a newly discovered vulnerability in its SharePoint software, a widely used platform for storing and sharing sensitive documents in corporate and government environments.
The flaw, designated CVE-2025-53770, is a zero-day vulnerability, meaning it was actively being exploited before Microsoft had the chance to develop and distribute a fix.
The exploit allows attackers to steal private security keys and remotely install malware on self-hosted versions of SharePoint — potentially compromising entire corporate networks.
Hackers going after private data and trade secrets
In a blog post published Tuesday, Microsoft revealed that at least three advanced persistent threat (APT) groups believed to be backed by the Chinese government had been exploiting the flaw since as early as July 7. These groups include:
- Linen Typhoon focused on stealing intellectual property from corporations.
- Violet Typhoon, known for espionage operations and data theft.
- Storm-2603, a lesser-known group with ties to past ransomware campaigns.
Microsoft says the hackers are using the vulnerability to infiltrate unpatched SharePoint servers, steal sensitive data, and establish backdoor access to broader internal systems.
“Organizations running self-hosted SharePoint servers should assume breach and initiate comprehensive forensic investigations,” Microsoft warned.
“We assess with high confidence that threat actors will continue to integrate these exploits into their attacks against unpatched on-premises SharePoint systems,” it added.
- Microsoft said it has released security updates that fully protect customers using all supported versions of SharePoint affected by CVE-2025-53770 and CVE-2025-53771. It urged SharePoint users to apply the updates immediately.
- Earlier on Monday, experts had warned that thousands of organizations, including government agencies, energy firms, universities, and enterprises, may be at risk of significant breaches due to the SharePoint flaw.
- According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the vulnerability allows hackers to access internal file systems, configurations, and even execute malicious code remotely, essentially granting them high-level control over compromised servers.
What you should know
This is not the first time hackers linked to China are being accused of attacks in recent years. Hackers backed by China were accused of targeting self-hosted Microsoft Exchange email servers in 2021 as part of a mass-hacking campaign.
According to a recent Justice Department indictment accusing two Chinese hackers of masterminding the breaches, the so-called “Hafnium” hacks compromised contact information and private mailboxes from more than 60,000 affected servers.
However, the Chinese government has long rebuffed allegations that it has carried out cyberattacks, though it has not always explicitly denied its involvement.
