One Microsoft’s latest SharePoint patches, launched on July 18, failed to totally mitigate the safety vulnerabilities it was designed to stop, prompting the corporate to difficulty extra fixes. A Microsoft spokesperson confirmed the difficulty and mentioned new safety updates had been rolled out to higher comprise the risk.
Furthermore, the Microsoft Menace Intelligence group confirmed at the very least three Chinese language hacking teams are accountable for exploiting the SharePoint vulnerabilities.
A put up by Microsoft Menace Intelligence reads, partially: “Microsoft has noticed two named Chinese language nation-state actors, Linen Hurricane and Violet Hurricane exploiting these vulnerabilities concentrating on internet-facing SharePoint servers. As well as, we now have noticed one other China-based risk actor, tracked as Storm-2603, exploiting these vulnerabilities.”
SharePoint vulnerabilities underneath lively assault
Microsoft initially issued updates to deal with two safety vulnerabilities:
- CVE-2025-49704: This distant code execution (RCE) vulnerability permits hackers to entry SharePoint and different Home windows companies, together with Microsoft Outlook, OneDrive, and Groups. As soon as accessed, the hacker may even use RCE to deploy malicious code on the goal system.
- CVE-2025-49706: An improper authentication vulnerability that permits attackers to entry on-premises servers that presently host Microsoft SharePoint.
Following the invention of extra zero-day vulnerabilities, Microsoft recognized two extra actively exploited vulnerabilities:
- CVE-2025-53770: This vulnerability permits hackers to bypass authentication checks and credential verifications when transmitting knowledge.
- CVE-2025-53771: With this vulnerability, hackers can spoof the credentials of authenticated customers to generate knowledge payloads that seem to originate from respectable sources.
Microsoft launched up to date safety patches for SharePoint Server Subscription Version, 2019, and 2016 to deal with the broader risk panorama.
Chinese language APTs behind exploitation marketing campaign
Three China-linked hacking teams have been implicated within the ongoing exploitation of SharePoint safety vulnerabilities. These teams embody:
- Linen Hurricane: This hacking group has carried out mental property theft since being first detected in 2012. Most of their cyberattacks goal organizations in authorities, protection, human rights, and different sectors.
- Violet Hurricane: First detected in 2015, Violet Hurricane primarily engages in espionage. Though they often goal people, significantly authorities officers and navy personnel, in addition they assault organizations in greater training, media, finance, and well being care.
- Storm-2603: Whereas Microsoft solely has “medium confidence” that Storm-2603 is predicated in China, they show lots of the similar habits as Linen and Violet Hurricane, together with the exploitation of the most recent SharePoint vulnerabilities. On the time of this writing, Storm-2603 has not been linked to the 2 different teams.
Defending your system from future threats
The group at Microsoft moved diligently to replace SharePoint after the brand new exploits have been discovered. Nonetheless, given the longevity of those three hacking teams particularly, they are going to doubtless devise new hacks, exploits, and workarounds to bypass safety controls and proceed their assaults. To guard in opposition to potential future threats, Microsoft recommends putting in the most recent software program updates as quickly as they’re out there to the general public.
Curious how deep the US crackdown on Chinese language cyber espionage goes? Learn our breakdown of the DOJ’s case in opposition to elite hackers linked to state-sponsored assaults.
