Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Microsoft has observed at least three China-backed threat actors targeting internet-facing SharePoint servers.
Microsoft’s SharePoint woes have continued to worsen overnight, with the Redmond software giant now disclosing that it has observed at least three China-backed hacking groups targeting several critical vulnerabilities in its web-based storage platform.
Microsoft and a raft of security agencies around the world first began raising the alarm regarding CVE-2025-53770 – an RCE bug related to the previously disclosed CVE-2025-49706 – late last week, but since then, matters have gotten worse. Microsoft has now disclosed a second SharePoint vulnerability, CVE-2025-53771, which is also being actively exploited.
“As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities targeting internet-facing SharePoint servers,” Microsoft said in a 22 July blog post.
“In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing.”
The threat actors have been observed deploying web shells in order to retrieve MachineKey data and gain full access to SharePoint content and execute code remotely. Microsoft believes the exploitation of unpatched, on-prem SharePoint systems will only continue.
Who are the hackers?
According to Microsoft, Linen Typhoon has been active since at least 2012 and is largely focused on acquiring intellectual property linked to government and defence sectors, particularly in relation to human rights and strategic planning.
Violet Typhoon, on the other hand, has been active since 2015 and is more focused on espionage, targeting former military and government employees, NGOs, higher education, media, and the healthcare sector.
Storm-2603 is, Microsoft believes, most likely linked to the People’s Republic of China, but investigations into who the group is exactly, and who they are close to, are ongoing.
“Although Microsoft has observed this threat actor deploying Warlock and LockBit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives,” Microsoft said.
Why this matters
“The SharePoint vulnerability is exactly what happens when organisations treat security updates as optional. We’re looking at unauthenticated access to systems with full access to SharePoint content, enabling attackers to execute code over the network, a complete compromise,” Marijus Briedis, chief technology officer at NordVPN, said.
“When your employer, bank, or healthcare provider gets hit through SharePoint, the consumer pays the price. SharePoint servers often connect to other Microsoft services such as Outlook and Teams, meaning such a breach can quickly lead to data theft and password harvesting. Emails, financial records, and medical data are interconnected, and once attackers are inside, they’re harvesting everything.”
Researchers already believe thousands of organisations may be vulnerable, and at least 100 have already been compromised. What’s worse, standard protections, such as Windows Anti-malware Scan Interface, can be easily bypassed. watchTowr CEO Benjamin Harris has seen exactly that in his company’s internal testing.
“The watchTowr Labs team has developed and deployed internal payloads exploiting CVE-2025-53770 that bypass AMSI. This has allowed us to continue identifying vulnerable systems even after mitigations like AMSI have been applied. AMSI was never a silver bullet, and this outcome was inevitable. But we’re concerned to hear that some organisations are choosing to ‘enable AMSI’ instead of patching. This is a very bad idea,” Harris said.
“Now that exploitation has been linked to nation-state actors, it would be naive to think they could leverage a SharePoint zero-day but somehow not bypass AMSI. Organisations must patch. Should go without saying – all the public PoCs will trigger AMSI, and mislead organisations into believing the mitigations are comprehensive/the host is no longer vulnerable. This would be incorrect.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
