Microsoft Issues Critical Security Alert Over SharePoint Exploit by China-Linked Hackers
Microsoft has raised a red flag over a severe zero-day vulnerability (CVE-2025-53770) in its widely used SharePoint software, warning that state-backed hacking groups from China are actively exploiting the flaw in a global cyberattack campaign.
What Is CVE-2025-53770?
The newly discovered zero-day flaw affects self-hosted versions of SharePoint, allowing attackers to:
- Steal private security keys
- Remotely install malware
- Compromise corporate and government networks
This vulnerability was being exploited before a security patch was available, making it extremely dangerous for unpatched systems.
Who Is Behind the Attacks?
Microsoft says three advanced persistent threat (APT) groups linked to the Chinese government are responsible for exploiting the flaw:
- Linen Typhoon: Targets intellectual property and corporate secrets
- Violet Typhoon: Known for cyber-espionage and data exfiltration
- Storm-2603: Believed to have past connections to ransomware campaigns
These hackers have been exploiting the vulnerability since early July, infiltrating SharePoint servers and establishing backdoor access to internal systems.
Widespread Risk: Who Is Affected?
According to Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), thousands of organisations may be at risk, including:
- Government agencies
- Energy and infrastructure firms
- Universities and research institutions
- Large enterprises with on-premise SharePoint deployments
CISA emphasised that attackers can:
- Access internal configurations and file systems
- Execute remote code
- Gain administrator-level control over servers
Microsoft’s Recommendations and Fixes
Microsoft has now released security patches that protect all supported versions of SharePoint from both CVE-2025-53770 and CVE-2025-53771. The company strongly advises all users of self-hosted SharePoint systems to:
- Update immediately
- Assume breach and initiate full forensic investigations
- Monitor for signs of lateral movement and persistent backdoors
“We assess with high confidence that threat actors will continue to integrate these exploits into future attacks,” Microsoft stated.
Not the First Time: China-Linked Cyber Threats to Microsoft
This isn’t the first instance of China-backed cyberattacks targeting Microsoft infrastructure. In 2021, the group known as Hafnium exploited vulnerabilities in Microsoft Exchange servers, compromising over 60,000 email systems worldwide.
A U.S. Justice Department indictment later identified two Chinese nationals behind the campaign, which harvested private emails, contact lists, and sensitive documents.
While China has consistently denied involvement in state-sponsored cyberattacks, it has not explicitly rebutted specific incidents.
Conclusion
The exploitation of SharePoint’s zero-day vulnerability CVE-2025-53770 by China-linked hacking groups is a serious national and corporate security concern. Organisations using on-premise SharePoint systems should prioritise patching and threat detection to avoid data breaches and loss of control.
