Security Researchers Uncover Evidence of China-Backed Hackers Exploiting Microsoft SharePoint Zero-Day Bug
According to security researchers at Google and Microsoft, hackers supported by China have been found to be exploiting a zero-day vulnerability in Microsoft SharePoint. This has prompted companies worldwide to rush and patch the flaw. The exploited bug allows hackers to steal sensitive private keys from self-hosted versions of SharePoint, which is widely used by companies to store and share internal documents.
The vulnerability, officially known as CVE-2025-53770, was discovered last weekend and enables hackers to plant malware remotely, gain access to stored files and data, and access other systems on the same network. Once the bug is exploited, an attacker can use it to gain unauthorized access to the files and data stored within, as well as gain access to other systems on the same network.
In a blog post published on Tuesday, Microsoft revealed that it had observed at least two China-backed hacking groups, known as “Linen Typhoon” and “Violet Typhoon,” exploiting the SharePoint zero-day vulnerability. Microsoft states that Linen Typhoon focuses on stealing intellectual property, while Violet Typhoon steals private information for espionage purposes.
Microsoft also attributed the ongoing hacks to a third China-backed hacking group, named “Storm-2603.” Although the company has less information about this group, it has been linked to ransomware attacks in the past. The three hacking groups were observed exploiting the zero-day vulnerability to break into vulnerable SharePoint servers as early as July 7.
Charles Carmakal, the chief technology officer at Google’s incident response unit Mandiant, stated in an email that at least one of the actors responsible was a China-nexus hacking group. However, he noted that multiple actors are now actively exploiting this vulnerability. Dozens of organizations have already been hacked, including government agencies, and the bug is considered a zero-day because Microsoft had no time to issue a patch before it was actively exploited.
Microsoft has since rolled out patches for all affected versions of SharePoint, but security researchers have warned that customers running self-hosted versions of SharePoint should assume they have already been compromised. The Chinese government has long denied allegations of carrying out cyberattacks, although it has not always explicitly denied its involvement.
Techcrunch event
San Francisco
|
October 27-29, 2025
When reached for comment, Liu Pengyu, a spokesperson for the Chinese Embassy in Washington, D.C., stated that China “firmly opposes and combats all forms of cyber attacks and cyber crime — a position that is consistent and clear.” This is the latest hacking campaign linked to China in recent years, with hackers backed by China accused of targeting self-hosted Microsoft Exchange email servers in 2021 as part of a mass-hacking campaign.
According to a recent Justice Department indictment accusing two Chinese hackers of masterminding the breaches, the so-called “Hafnium” hacks compromised contact information and private mailboxes from more than 60,000 affected servers. The incident highlights the ongoing threat of cyberattacks and the importance of patching vulnerabilities promptly.
Updated with comment from the Chinese government.
Source Link