Chinese hackers suspected of exploiting SharePoint vulnerabilities at Microsoft, with potential targets including the US Nuclear Security Administration, according to recent reports.

Chinese hackers suspected of exploiting SharePoint vulnerabilities at Microsoft, with potential targets including the US Nuclear Security Administration, according to recent reports.

In a concerning turn of events, Chinese nation-state actors, including the groups Linen Typhoon, Violet Typhoon, and a third suspected group named Storm-2603, have been actively exploiting critical vulnerabilities in Microsoft’s on-premises SharePoint Server. These vulnerabilities, identified as CVE-2025-49706 and CVE-2025-49704, allow unauthenticated remote attackers to execute arbitrary code and gain unauthorized access to SharePoint instances[1][2][4].

The attacks, carried out via a known spoofing vulnerability and a remote code execution vulnerability, have primarily targeted internet-facing SharePoint servers used by governments, large corporations, universities, healthcare providers, and other sensitive organizations[1][3][4]. The aim of these attacks is to steal sensitive data, maintain persistent access, and potentially deploy further malicious activities such as ransomware.

Microsoft and security firms like Mandiant and FortiGuard Labs have observed that these groups have launched widespread attacks, with the majority of affected organizations being in the United States and Germany, and government entities among the victims[1][3].

The vulnerabilities were publicly disclosed recently and Microsoft released patches earlier in July 2025; however, attackers have rapidly incorporated these exploits, and some are bypassing available patches, maintaining a persistent threat[1][3]. Additional related vulnerabilities—CVE-2025-53770 and CVE-2025-53771—are also of concern as they act as bypasses for earlier patch protections, making complete remediation more challenging[1].

Organisations are strongly advised to apply all available patches immediately and perform thorough audits to detect any signs of compromise or persistent backdoors due to ongoing exploitation. Microsoft recommends integrating and enabling Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions), rotating SharePoint server ASP.NET machine keys, restarting Internet Information Services (IIS), and deploying Microsoft Defender for Endpoint or equivalent solutions[5].

It remains uncertain whether the US government will order a similar review of this latest breach, following the Cyber Safety Review Board's previous report on a high-profile US government email hack, which attributed the intrusion to Chinese hacking groups and identified Microsoft's avoidable errors that allowed the intrusion to succeed[3].

China's embassy in Washington has released a statement confirming that China is against all forms of cyberattacks and opposes "smearing others without solid evidence."

As of the weekend, around 100 organizations were reportedly compromised, and the current breach of on-premises SharePoint servers may potentially be more severe, given the close ties between Microsoft’s server infrastructure and sensitive US government operations.

References: [1] KrebsOnSecurity (2025, July 12). "Chinese Hackers Exploit Microsoft SharePoint Flaws." [online] Available at: https://krebsonsecurity.com/2025/07/chinese-hackers-exploit-microsoft-sharepoint-flaws/ [2] ZDNet (2025, July 12). "Microsoft patches zero-day SharePoint vulnerabilities exploited in attacks." [online] Available at: https://www.zdnet.com/article/microsoft-patches-zero-day-sharepoint-vulnerabilities-exploited-in-attacks/ [3] The Washington Post (2025, July 12). "Chinese hackers exploit Microsoft SharePoint flaws, compromising at least 100 organizations worldwide." [online] Available at: https://www.washingtonpost.com/technology/2025/07/12/chinese-hackers-exploit-microsoft-sharepoint-flaws-compromising-at-least-100-organizations-worldwide/ [4] The Record by Recorded Future (2025, July 12). "Chinese threat actors exploit Microsoft SharePoint vulnerabilities." [online] Available at: https://therecord.media/chinese-threat-actors-exploit-microsoft-sharepoint-vulnerabilities/ [5] Microsoft (2025, July 12). "Microsoft Security Advisory: July 2025 Patch Tuesday." [online] Available at: https://msrc-blog.microsoft.com/2025/07/12/microsoft-security-advisory-july-2025-patch-tuesday/

1. Given the ongoing international cybersecurity threat posed by Chinese nation-state actors, it would be prudent for professional organizations to place a bet on integrating and enabling Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) to protect their SharePoint servers.
2. The recent attacks on Microsoft's SharePoint Server, exploiting vulnerabilities like CVE-2025-49706 and CVE-2025-49704, are a reminder of the vital role technology plays in the security of critical national infrastructure, such as government operations and corporations.
3. In light of the widespread exploitation of these vulnerabilities, it might be interesting to delve into the political implications of such cyberattacks, considering their potential impact on general-news topics like international relations and data privacy.
4. This cybersecurity incident involving Chinese hackers and Microsoft SharePoint servers serves as a prime example of the escalating global game between nation-states, cybercriminals, and technology companies, reflecting the complex interplay of power, security, and innovation in the digital age.
5. While China's embassy has denied involvement in these attacks, the ongoing exploitation of vulnerabilities like CVE-2025-53770 and CVE-2025-53771 is a cause for concern, raising questions about the accountability and security measures in place within sensitive international organizations.

Read also: