Microsoft pins SharePoint attacks on Chinese threat actors. Microsoft has formally attributed the widespread exploitation of a SharePoint zero-day chain—dubbed ToolShell—to Chinese state-linked hacking groups, including Linen Typhoon, Violet Typhoon, and Storm-2603 . The attacks have targeted on-premise SharePoint servers across multiple sectors . Emergency patches have been released, but with a proof-of-concept exploit now public and active exploitation ongoing, CISA has issued urgent mitigation guidance for affected organizations .
At least two Chinese nation-state threat groups are targeting internet-facing SharePoint servers via several recently disclosed vulnerabilities, Microsoft warned customers on Tuesday . In addition to the two confirmed nation-state groups — identified as Linen Typhoon and Violet Typhoon — Microsoft said it found another China-based group attacking SharePoint servers . The attribution follows an urgent alert about threat actors exploiting vulnerabilities in on-premises instances of Microsoft SharePoint, which thousands of organizations globally use to manage content, collaborate and share documents .
The bugs being used in the campaign against exposed SharePoint servers include CVE-2025-49706 and CVE-2025-49704 . Microsoft also warned of two other vulnerabilities — CVE-2025-53770 and CVE-2025-53771 — that are of potential risk because they are bypasses for previous patches of CVE-2025-49706 and CVE-2025-49704 . On Monday, Charles Carmakal, CTO of Google, said that a “China-nexus threat actor” is one of several attackers targeting the vulnerabilities . “It's critical to understand that multiple actors are now actively exploiting this vulnerability,” Carmakal said .
Microsoft released a patch earlier this month but hackers quickly found a way around the fixes . Microsoft said the threat actors Linen Typhoon and Violet Typhoon, as well as a third Chinese group, have been exploiting CVE-2025-49706 and CVE-2025-49704 since July 7, using the bugs to gain access to organizations . Linen Typhoon, also tracked as APT27, UNC215 and Red Phoenix, is active since 2012, the company said, and has focused primarily on stealing intellectual property by attacking government organizations as well as defense companies and human rights groups .
Microsoft on Sunday released security patches for an actively exploited security flaw in SharePoint and also disclosed details of another vulnerability that it said has been addressed with "more robust protections" . The tech giant acknowledged it's "aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update" . CVE-2025-53770 (CVSS score: 9.8), as the exploited vulnerability is tracked, concerns a case of remote code execution that arises due to the deserialization of untrusted data in on-premise versions of Microsoft SharePoint Server . The newly disclosed shortcoming is a spoofing flaw in SharePoint (CVE-2025-53771, CVSS score: 7.1) .