Chinese Hackers Exploit SharePoint Zero-Day

China-Linked Hackers Exploit SharePoint Zero-Day Vulnerability

Security researchers from both Google and Microsoft have presented evidence indicating that cyber attackers associated with China are actively exploiting a previously unknown vulnerability – a zero-day bug – within Microsoft SharePoint.

Details of the Vulnerability (CVE-2025-53770)

Discovered last weekend, the flaw, officially designated as CVE-2025-53770, permits unauthorized access to sensitive private keys from SharePoint installations managed by organizations themselves. This impacts versions of the software commonly utilized for internal document storage and sharing.

Successful exploitation allows attackers to remotely install malicious software and gain unauthorized access not only to stored files and data, but also potentially to other systems connected to the same network.

Attribution to Chinese Hacking Groups

Microsoft, in a blog post released on Tuesday, identified at least two China-affiliated hacking groups, known as “Linen Typhoon” and “Violet Typhoon,” as actively leveraging this SharePoint zero-day.

Linen Typhoon is reportedly focused on the theft of intellectual property, while Violet Typhoon concentrates on acquiring private information for espionage purposes.

A third group, “Storm-2603,” also linked to China, has been implicated in the ongoing attacks. Microsoft acknowledges having less detailed information about this particular hacking entity, but notes its past association with ransomware incidents.

Timeline of Exploitation

Observations indicate that these three hacking groups began exploiting the vulnerability as early as July 7th, gaining access to vulnerable SharePoint servers.

Charles Carmakal, CTO of Google’s Mandiant incident response team, confirmed to TechCrunch that at least one of the responsible actors has ties to China. He also stated that multiple groups are currently exploiting the vulnerability.

Widespread Impact and Remediation

Numerous organizations, including those within the government sector, have already been compromised. The vulnerability is classified as a zero-day because Microsoft had no prior opportunity to release a security patch before active exploitation began.

Microsoft has since issued patches for all affected SharePoint versions. However, security experts advise that organizations managing their own SharePoint installations should operate under the assumption that a breach has already occurred.

China's Response

The Chinese government consistently denies involvement in cyberattacks. Liu Pengyu, a spokesperson for the Chinese Embassy in Washington, D.C., reiterated this stance, stating that China “firmly opposes and combats all forms of cyber attacks and cyber crime.”

Recent History of China-Linked Hacking Campaigns

This incident represents the latest in a series of hacking campaigns attributed to China. In 2021, Chinese-backed hackers targeted self-hosted Microsoft Exchange email servers in a large-scale operation.

A Justice Department indictment alleges that the “Hafnium” group compromised contact information and private mailboxes on over 60,000 servers.

This article was updated to include a statement from the Chinese government.