Microsoft has issued a stark warning, confirming that multiple China-backed nation-state hacking groups are actively exploiting critical vulnerabilities in on-premises Microsoft SharePoint servers. These sophisticated attacks, which began as early as July 7, have already compromised dozens of organizations globally, including government agencies, critical infrastructure, and private sector entities.
The tech giant has identified two prominent Chinese nation-state actors, “Linen Typhoon” (also tracked as APT27) and “Violet Typhoon” (also known as APT31), as being at the forefront of this malicious campaign. A third China-based group, “Storm-2603,” is also exploiting the flaws, though its specific motives are still under investigation.
The attacks leverage recently disclosed zero-day vulnerabilities, specifically CVE-2025-49706 and CVE-2025-49704, which allow attackers to bypass authentication and execute remote code. This grants unauthorized access to SharePoint content, file systems, and internal configurations. Further, two new CVEs, CVE-2025-53770 and CVE-2025-53771, were assigned to bypasses for earlier patches, indicating a persistent and evolving threat.
Linen Typhoon, active since 2012, has historically focused on intellectual property theft from government, defense, and human rights organizations. Violet Typhoon, operating since 2015, specializes in espionage, targeting government and military officials, NGOs, think tanks, and media organizations across the U.S., Europe, and East Asia. The motivation behind Storm-2603, while assessed with medium confidence as China-based, remains less clear, though the group has previously been linked to ransomware activities.
The impact of these attacks is significant. Compromised organizations risk not only data exfiltration but also the potential for long-term access by the attackers. Experts warn that the theft of authentication keys and the deployment of persistent backdoors could allow threat actors to maintain access even after patches are applied. This situation draws parallels to the widespread compromise of Microsoft Exchange servers in 2021 by Chinese state-sponsored actors.
Microsoft has strongly urged all customers running on-premises SharePoint servers to immediately apply the emergency security updates released this week. The company also advises organizations to rotate their SharePoint server ASP.NET machine keys and invalidate old ones to mitigate the risk of continued access. It is crucial to note that Microsoft’s cloud-based SharePoint Online service remains unaffected by these vulnerabilities.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, mandating federal civilian agencies to patch immediately. The ongoing nature and global reach of these attacks underscore the urgent need for organizations to prioritize patching and bolster their cybersecurity defenses against sophisticated nation-state adversaries.
