Chinese Hackers Exploit SharePoint Zero-Day, Warn Google & Microsoft
▼ Summary
– Google and Microsoft researchers found China-backed hackers exploiting a zero-day bug (CVE-2025-53770) in Microsoft SharePoint to steal private keys and plant malware.
– The bug allows attackers to access files, data, and other systems on the same network, affecting self-hosted SharePoint servers.
– Microsoft identified three China-linked hacking groups—Linen Typhoon, Violet Typhoon, and Storm-2603—exploiting the flaw since July 7, targeting intellectual property and espionage.
– Microsoft has released patches, but security experts warn self-hosted SharePoint users may already be compromised, with dozens of organizations hacked, including government entities.
– China has historically denied involvement in cyberattacks, though its hackers were previously linked to the 2021 Microsoft Exchange breaches affecting 60,000+ servers.
Security experts from Google and Microsoft have uncovered a critical vulnerability in Microsoft SharePoint being actively exploited by Chinese state-sponsored hackers. The flaw, identified as CVE-2025-53770, enables attackers to steal sensitive encryption keys from self-hosted SharePoint servers, potentially compromising entire corporate networks.
The vulnerability allows unauthorized access to stored documents and systems connected to the same network. Once inside, hackers can deploy malware, exfiltrate confidential data, and move laterally across infrastructure. Microsoft confirmed that at least three China-linked threat groups, Linen Typhoon, Violet Typhoon, and Storm-2603, have weaponized the flaw since early July. While Linen Typhoon targets intellectual property theft, Violet Typhoon specializes in espionage-related data harvesting. Storm-2603, a lesser-known group, has previously been tied to ransomware operations.
Charles Carmakal, a senior executive at Google’s Mandiant, warned that multiple hacking collectives are capitalizing on the vulnerability, with confirmed breaches across government and enterprise sectors. The zero-day nature of the exploit left organizations exposed before Microsoft could release patches, now available for all affected SharePoint versions. However, security teams advise self-hosted SharePoint users to conduct immediate audits, assuming potential compromise.
This incident follows a pattern of Chinese cyber operations targeting Microsoft products. In 2021, Beijing-aligned hackers exploited Exchange Server vulnerabilities in the widespread Hafnium campaign, compromising tens of thousands of mailboxes. While China routinely denies involvement in cyberattacks, U.S. authorities have consistently attributed such breaches to state-backed actors.
The Chinese Embassy in Washington has not responded to requests for comment. Meanwhile, businesses reliant on SharePoint are urged to apply updates and monitor for suspicious activity. With nation-state hackers increasingly leveraging software vulnerabilities, proactive defense measures are no longer optional, they’re critical for organizational survival.
(Source: TechCrunch)
