Alert: Chinese nation-state hackers are currently leveraging SharePoint vulnerabilities to enhance their SEO efforts.
Microsoft’s SharePoint issues have escalated, with the company revealing that at least three China-backed hacking groups are targeting critical vulnerabilities in its web-based storage platform. The alarm was first raised regarding CVE-2025-53770, a remote code execution (RCE) bug linked to the previously disclosed CVE-2025-49706. Since then, Microsoft has disclosed a second vulnerability, CVE-2025-53771, which is also being actively exploited. Security agencies worldwide are collaborating with Microsoft to address these threats.
In a blog post dated 22 July, Microsoft reported that two Chinese nation-state actors, Linen Typhoon and Violet Typhoon, are exploiting these vulnerabilities on internet-facing SharePoint servers. Additionally, another China-based threat actor, identified as Storm-2603, has also been observed using these exploits. Investigations into other potential actors are ongoing. The threat actors have been deploying web shells to retrieve MachineKey data, allowing them to gain full access to SharePoint content and execute code remotely. Microsoft anticipates that the exploitation of unpatched, on-premises SharePoint systems will continue.