3 China Nation-State Actors Target SharePoint Bugs

Three China-linked threat groups—Linen Typhoon, Violet Typhoon, and Storm-2603—exploited two SharePoint Server vulnerabilities as zero-days before Microsoft patched them on July 8, 2025. Microsoft initially claimed no evidence of exploitation existed, but investigations revealed active attacks targeting CVE-2025-49706 and CVE-2025-49704 from July 7. Code White GmbH researchers subsequently reproduced similar exploits on patched systems, prompting Microsoft to disclose two additional vulnerabilities on July 19: CVE-2025-53770 (CVSS 9.8) and CVE-2025-53771 (CVSS 6.4). Security researchers suggest the new vulnerabilities emerged through reverse engineering of Microsoft’s initial patches, indicating incomplete fixes. Multiple attack waves have targeted high-value organizations across technology, manufacturing, and critical infrastructure sectors, with threat actors deploying PowerShell backdoors and fileless malware. Experts anticipate widespread adoption by ransomware operations and recommend immediate patching, credential rotation, and limiting externally exposed SharePoint services given the platform’s attractiveness for storing sensitive organizational data.​​​​​​​​​​​​​​​​