Microsoft has raised a security alarm after identifying that China-linked hacking groups are actively exploiting a critical vulnerability in its SharePoint software, used globally by governments and corporations to manage sensitive documents.
The zero-day flaw, tagged CVE-2025-53770, allows attackers to steal private encryption keys and remotely deploy malware on self-hosted SharePoint servers, granting them wide access to internal systems.
In a blog post published Tuesday, Microsoft disclosed that at least three Chinese-backed advanced persistent threat (APT) groups — Linen Typhoon, Violet Typhoon, and Storm-2603 — have been using the exploit since July 7.
The groups are reportedly targeting intellectual property, trade secrets, and classified data, particularly from enterprises and government entities running outdated or unpatched SharePoint installations.
“Organizations running self-hosted SharePoint servers should assume breach and initiate comprehensive forensic investigations,” Microsoft warned.
The company has released security patches for all supported versions of SharePoint affected by the vulnerabilities (CVE-2025-53770 and CVE-2025-53771), urging immediate installation to prevent further compromise.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added that the vulnerability could allow attackers full access to internal configurations, enabling remote execution of malicious code.
Security analysts estimate that thousands of entities—including energy companies, universities, and government bodies—could be at risk if they fail to patch their systems promptly.
