Microsoft has issued an urgent cybersecurity warning following the discovery of a critical vulnerability in its widely-used SharePoint software, which has been actively exploited by state-sponsored hackers believed to be linked to China.
The vulnerability, identified as CVE-2025-53770, is classified as a zero-day flaw; a type of security loophole that is exploited before developers are aware or able to issue a fix. According to Microsoft, this exploit allows hackers to remotely install malicious software, steal private security certificates, and potentially compromise entire organizational networks running self-hosted versions of SharePoint.
Sophisticated Cyber Threat Groups Behind the Attacks
In a blog post released on Tuesday, Microsoft confirmed that at least three advanced persistent threat (APT) groups with ties to the Chinese government have been actively exploiting the flaw since July 7, 2025. These groups include:
- Linen Typhoon – focused on stealing corporate intellectual property.
- Violet Typhoon – engaged in state-sponsored espionage and data exfiltration.
- Storm-2603 – a lesser-known group with past connections to ransomware campaigns.
Microsoft stated that these actors have been targeting unpatched SharePoint servers, enabling them to access sensitive files, install backdoors, and manipulate internal systems without detection.
“Organizations operating self-hosted SharePoint environments should presume compromise and immediately conduct thorough forensic assessments,” Microsoft cautioned.
The tech giant added that threat actors are likely to expand their use of the exploit as part of future cyber operations if systems remain unpatched.
Patch Available – But Risk Remains High
Microsoft has since released security patches addressing both CVE-2025-53770 and a related flaw, CVE-2025-53771, and is urging all affected users to install the updates immediately. The patches apply to all supported SharePoint versions.
Cybersecurity experts warned on Monday that thousands of organizations including government institutions, energy companies, educational institutions, and large enterprises remain vulnerable if they fail to update their systems promptly.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also weighed in, noting that the SharePoint vulnerability gives attackers the ability to access internal file systems, execute arbitrary code, and essentially gain administrative control over compromised servers.
Not the First Time for Chinese-Backed Attacks
This incident adds to a growing list of alleged cyber offensives involving Chinese-backed hackers. In 2021, a group known as Hafnium also believed to be operating under the influence of the Chinese state was blamed for mass hacks of Microsoft Exchange email servers, which affected over 60,000 organizations worldwide.
In a Justice Department indictment related to that campaign, two Chinese nationals were accused of orchestrating the attacks, which compromised sensitive data, contact lists, and mailboxes.
Despite repeated accusations, the Chinese government has consistently denied any official involvement in these cyber incidents, although it has refrained from directly addressing specific allegations.
