Chinese nation-state groups exploiting SharePoint vulnerability, Microsoft confirms

At least two Chinese nation-state threat groups are targeting internet-facing SharePoint servers via several recently disclosed vulnerabilities, Microsoft warned customers on Tuesday.  

In addition to the two confirmed nation-state groups — identified as Linen Typhoon and Violet Typhoon — Microsoft said it found another China-based group attacking SharePoint servers. 

The attribution follows an urgent alert about threat actors exploiting vulnerabilities in on-premises instances of Microsoft SharePoint, which thousands of organizations globally use to manage content, collaborate and share documents. The campaign of attacks set off alarms among defenders because of its use among governments, large corporations, universities and other sensitive entities. 

The bugs being used in the campaign against exposed SharePoint servers include CVE-2025-49706 and CVE-2025-49704. 

Microsoft also warned of two other vulnerabilities — CVE-2025-53770 and CVE-2025-53771 — that are of potential risk because they are bypasses for previous patches of CVE-2025-49706 and CVE-2025-49704.

On Monday, Charles Carmakal, CTO of Google-owned cybersecurity firm Mandiant, said that a “China-nexus threat actor” is one of several attackers targeting the vulnerabilities.

“It's critical to understand that multiple actors are now actively exploiting this vulnerability,” Carmakal said. “We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well."

Reuters reported on Tuesday that more than 100 organizations were affected by attacks through the vulnerabilities, which Microsoft was allegedly informed of in May. The bugs were discovered at a competition in Berlin by a cybersecurity official at Vietnamese military-owned telecom Viettel, and the researcher received a $100,000 bounty for finding them.

Microsoft released a patch earlier this month but hackers quickly found a way around the fixes, according to Reuters.

The Typhoons

Microsoft said the threat actors Linen Typhoon and Violet Typhoon, as well as a third Chinese group, have been exploiting CVE-2025-49706 and CVE-2025-49704 since July 7, using the bugs to gain access to organizations.

Linen Typhoon, also tracked as APT27, UNC215 and Red Phoenix, has been active since 2012, the company said, and has focused primarily on stealing intellectual property by attacking government organizations as well as defense companies and human rights groups. 

The group typically “has relied on existing exploits to compromise organizations,” Microsoft said.

The other confirmed threat actor, Violet Typhoon, is specifically dedicated to espionage and has previously targeted government officials, military personnel, think tanks, educational organizations, media companies and the health sector in the U.S., Europe and East Asia. 

Violet Typhoon, also tracked as APT31, has made a point of scanning the internet for vulnerabilities in the exposed web infrastructure of target organizations, exploiting whatever they discover to install tools that allow them to gain further access. 

Researchers are unsure of the motives of the third group, which has in the past used the Warlock and Lockbit ransomware strains.

Microsoft added that other groups and countries may use the bugs to target unpatched on-premises SharePoint systems and urged customers to install security updates released this week. 

The tech giant released security updates for all supported on-premises SharePoint Server versions and said cloud-hosted versions are not affected. 

‘Just beginning’

The situation began Saturday when Microsoft’s Security Response Center said it saw active attacks against on-premises SharePoint servers using multiple vulnerabilities. 

CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog on Sunday and ordered all federal civilian agencies to patch it by Monday. The agency added CVE-2025-49706 and CVE-2025-49704 on Tuesday and ordered agencies to patch them by Wednesday.

Multiple incident responders told Recorded Future News that exploitation is widespread and includes governments around the world. Hackers are using their access to exfiltrate data and gain a long-term foothold in victim organizations, they said.

The problem cannot be solved by simply patching the vulnerabilities, watchTowr CEO Benjamin Harris said, noting that attackers are stealing cryptographic keys that will allow for further access if they are not changed. 

Harris urged everyone to actually patch the bugs instead of only applying mitigations like an Antimalware Scan Interface (AMSI).

“Now that exploitation has been linked to nation-state actors, it would be naive to think they could leverage a SharePoint zero-day but somehow not bypass AMSI,” Harris said. 

The Washington Post reported that federal and state agencies have been affected by the campaign but the FBI and CISA did not respond to requests for confirmation. 

Several cybersecurity experts compared the SharePoint campaign to a similar one in 2021 affecting Microsoft Exchange servers that led to the compromise of U.S. government systems by Chinese actors. 

Cynthia Kaiser, former deputy director of the FBI’s Cyber Unit, warned that the SharePoint attacks will be an issue for months even if organizations have implemented patches because hackers “already in their systems may lie dormant for extended periods before operationalizing.”

“The real threat may be just beginning. Ransomware groups are known to rapidly operationalize disclosed vulnerabilities,” said Kaiser, who is now a senior official at cybersecurity firm Halcyon.

“In this case, the theft of authentication keys means attackers could potentially retain access even after patches are applied. This is a serious risk.”