Security researchers from Google and Microsoft have uncovered alarming evidence that hackers supported by China are actively exploiting a zero-day vulnerability in Microsoft SharePoint. This flaw, officially designated as CVE-2025-53770, was discovered just last weekend and has prompted a global scramble among companies to patch the security breach. The vulnerability allows malicious actors to steal sensitive private keys from self-hosted versions of SharePoint, a widely used software server for storing and sharing internal documents.
Once exploited, this zero-day bug enables attackers to remotely install malware and gain unauthorized access to sensitive files and data stored within SharePoint. Furthermore, they can potentially infiltrate other systems connected to the same network, escalating the risk of data breaches across organizations. As the situation develops, companies are urged to prioritize the security of their SharePoint installations.
In a recent blog post, Microsoft reported that it has identified at least two well-known hacking groups with ties to China, dubbed “Linen Typhoon” and “Violet Typhoon”, as being actively involved in exploiting this zero-day vulnerability. Microsoft describes Linen Typhoon as primarily focused on intellectual property theft, whereas Violet Typhoon targets private information for espionage purposes. The company also referenced a third group, “Storm-2603,” which has less publicly available information but has been linked to previous ransomware attacks.
Microsoft indicated that these hacking groups have been exploiting the zero-day vulnerability to compromise unprotected SharePoint servers since at least July 7. Charles Carmakal, the Chief Technology Officer at Google’s incident response unit Mandiant, confirmed in an email to TechCrunch that “at least one of the actors responsible” is a hacking group with connections to China, emphasizing that “multiple actors are now actively exploiting this vulnerability.”
Dozens of organizations, including those in the government sector, have already fallen victim to these cyberattacks. The current bug is classified as a zero-day because Microsoft had insufficient time to issue a patch before it was exploited in the wild. Although Microsoft has since released security patches for all affected SharePoint versions, security experts caution that organizations running self-hosted versions should assume they have already been compromised.
As the situation continues to unfold, a spokesperson for the Chinese Embassy in Washington D.C. has not responded to requests for comment. Historically, the Chinese government has denied allegations of conducting cyberattacks, although it has not explicitly refuted its involvement in this specific case.
As companies navigate this serious threat, vigilance and prompt action to apply security updates are essential in mitigating the risks associated with this zero-day vulnerability in Microsoft SharePoint.
