In a striking revelation, Microsoft has shed light on a significant cybersecurity threat emanating from China, where state-aligned actors are exploiting a critical zero-day vulnerability in SharePoint Server. This news aligns with earlier findings from security experts, including those at Google Cloud’s Mandiant, emphasizing the urgent need for organizations to bolster their digital defenses. With these high-profile threats on the rise, the implications for cybersecurity in both the public and private sectors are profound.
Understanding the Vulnerability
The vulnerabilities at the center of this breach are designated as CVE-2025-53770 and CVE-2025-53771. These flaws are particularly alarming, as CVE-2025-53770 allows for full remote code execution (RCE), placing all supported versions of SharePoint Server at risk. Microsoft’s investigation indicates that the exploitation of these vulnerabilities has already been underway, with initial attempts detected around July 7, 2025. The recent revelations underscore how these vulnerabilities bypass previously disclosed flaws CVE-2025-49704 and CVE-2025-49706, further complicating the security landscape for affected organizations.
Microsoft’s urgency is clear. According to a spokesperson, the company has issued comprehensive security updates across all supported versions of SharePoint Server, including the Subscription Edition and the 2019 and 2016 versions, to mitigate these threats. The guidance emphasizes the need for immediate action, urging customers to apply these updates to protect against known vulnerabilities. Following these updates, Microsoft also released hunting and mitigation guidance, further indicating the severity of the situation and the proactive stance users should adopt.
The Actors Behind the Threats
Microsoft identified three main threat actor groups involved in the ongoing attacks: Linen Typhoon, Violet Typhoon, and Storm-2603. Each group has distinct operational styles and targets, reflecting the broader strategic objectives of Chinese cyber espionage efforts.
- Linen Typhoon: Active since approximately 2012, Linen Typhoon focuses on stealing intellectual property. This actor primarily targets organizations linked to government, defense, human rights, and strategic sectors. The group often utilizes unpatched exploits in what is known as “drive-by” attacks to infiltrate systems.
- Violet Typhoon: Since its emergence in 2015, Violet Typhoon has engaged in targeted espionage, focusing on non-governmental organizations, think tanks, and educational institutions. This group’s tactics involve scanning for vulnerabilities in web infrastructure to install web shells, exploiting any weaknesses it identifies.
- Storm-2603: Though still under investigation, Storm-2603 is suspected to be another Chinese threat actor targeting SharePoint vulnerabilities. It has been associated with attempts to steal machine keys and has previously acted as a ransomware affiliate for groups like LockBit, although its true motivations remain unclear.
This nuanced understanding of the actors involved highlights the sophistication of the cyber threats organizations face. The use of distinct classifications—such as the meteorological naming conventions introduced by Microsoft—allows for better tracking and identification, enabling organizations to respond more effectively.
The Need for Immediate Action
The implications of these vulnerabilities and the associated threat actors cannot be overstated. As organizations increasingly depend on SharePoint for collaboration and data management, the exploitation of such weaknesses poses serious risks not only to their operations but also to the integrity of sensitive data. Microsoft’s indication that additional actors may leverage the same exploits to target unpatched on-premise systems further emphasizes the urgency for immediate updates and security measures.
For organizations, this means prioritizing their cybersecurity strategies. Implementing robust patch management protocols and adopting comprehensive security frameworks is essential. Additionally, organizations should remain vigilant and educated about the latest threats and adopt an adaptive security posture to counter evolving cyber threats.
As the cybersecurity landscape evolves, staying informed is critical. The Cybersecurity and Infrastructure Security Agency (CISA) highlights that in 2022, ransomware incidents significantly increased, with attackers targeting organizations across various sectors, underscoring the importance of proactive cybersecurity measures [CISA].
Conclusion
The ongoing situation regarding these SharePoint vulnerabilities presents a crucial moment for organizations to reassess and enhance their cybersecurity protocols. With state-sponsored actors continuously refining their tactics, the time for complacency is over. By taking prompt action and adopting rigorous security measures, organizations can significantly mitigate the risks associated with these sophisticated cyber threats.