It seems that Microsoft SharePoint vulnerability — and Chinese cybercriminals are believed to be responsible.
What is the Situation Now?
Both Google and Microsoft SharePoint vulnerability that cybercriminals affiliated with the Chinese government have been exploiting a critical zero-day flaw in SharePoint.
This flaw, known as CVE-2025-53770, was only published last Saturday. However, both companies claim that the vulnerability has been actively exploited since July 7.
What is the Cause for Such Concern?
SharePoint is used extensively by companies, government agencies, and other entities to store sensitive internal documents and files. Numerous organizations operate self-hosted versions of SharePoint — and that is precisely where the vulnerability is located.
Exploitation of the vulnerability will allow attackers to:
- Harvest valuable encryption security materials
- Deploy remote-controlled malware
- Obtain private files and systems
- Traverse through other systems on the same network
Essentially, this vulnerability provides hackers with a catastrophic level of control.
Who is Behind the Campaign?
Microsoft attributes the following three hacker groups from China to the campaign:
- Linen Typhoon — Known for stealing proprietary and sensitive information.
- Violet Typhoon — Specializes in data gathering for espionage purposes.
Storm-2603 – This is a relatively obscure group that has been associated with ransomware attacks in the past.
The Mandiant unit of Google has also provided some input. Charles Carmakal, Mandiant’s CTO, confirmed that at least one of the groups has strong ties to China. He pointed out that there is now multiple hacking teams working on exploiting the bug.
How Bad Is It?
Reports claim that dozens of organizations have been hacked. These include companies from various sectors, including some government entities.
This vulnerability being exploited before Microsoft had the chance to fix it classifies it as a zero-day exploit—zero time to prepare before attacks commenced.
Microsoft has now issued security updates for the flaw. However, experts caution that any organization with a self-hosted SharePoint server should assume that they have been breached and act accordingly.
Microsoft SharePoint vulnerability and Google Urge Immediate Action
Both companies have issued the following recommendations to their clients:
- Immediate patching of SharePoint systems is mandatory.
- Conduct security scan for any indications of compromises.
- Evaluate for any nefarious actions within their systems.
If your organization self-hosted a SharePoint instance and has not applied the patch, you are most likely at risk.
China Denies Responsibility
As noted by the Ministry of Foreign Affairs, China denies issuing any form of cybercrime claiming:
“China firmly opposes and combats all forms of cyberattacks and cybercrime — a position that is consistent and clear.”
Historically, China-sponsored hackers have aimed at Microsoft SharePoint vulnerability. In 2021, a group known as Hafnium was associated with a vast hacking effort that compromised more than 60,000 Microsoft Exchange email servers.
That campaign compromised a wealth of information, including email and contact databases of numerous private, governmental, and academic institutions.
Key Takeaways
- Active exploitation of a severe SharePoint vulnerability (CVE-2025-53770) continues.
- China-backed hacker groups are actively targeting self-hosted servers.
- The attack is capable of data theft, and malware implantation, as well as system-wide propagation.
- While Microsoft SharePoint vulnerability, numerous systems are likely to have already been compromised.
- In-house SharePoint users are advised to update and check for backdoors as systems are compromised.
Final Thoughts
This Microsoft SharePoint vulnerability the fact that zero-day vulnerabilities can be intensely fast and dangerous, and are frequently the result of state-sponsored entities. The rise of cyber warfare targeting government and enterprise software systems is coinciding with rising geopolitical tensions.
Confirm that your IT staff is proactive, your systems are current with updates, and network traffic is actively scrutinized.