Google, Microsoft say Chinese hackers are exploiting SharePoint zero-day | TechCrunch

Security researchers at Google and Microsoft say they have evidence that hackers backed by China are exploiting a zero-day bug in Microsoft SharePoint, as companies around the world scramble to patch the flaw.

The bug, known officially as CVE-2025-53770 and discovered last weekend, allows hackers to steal sensitive private keys from self-hosted versions of SharePoint, a software server widely used by companies and organizations to store and share internal documents. Once exploited, an attacker can use the bug to remotely plant malware and gain access to the files and data stored within, as well as gain access to other systems on the same network.

In a blog post on Tuesday, Microsoft said it had observed at least two previously identified China-backed hacking groups it calls “Linen Typhoon” and “Violet Typhoon” exploiting the SharePoint zero-day. Microsoft says Linen Typhoon is focused on stealing intellectual property, while Violet Typhoon steals private information to be used for espionage.

Microsoft also attributed the ongoing hacks to a third China-backed hacking group it named “Storm-2603,” representing a hacking group about which the company has less information. The company noted, however, that the hackers have been linked to ransomware attacks in the past.

According to Microsoft, the three hacking groups were observed exploiting the zero-day vulnerability to break into vulnerable SharePoint servers as far back as July 7.

Charles Carmakal, the chief technology officer at Google’s incident response unit Mandiant, told TechCrunch in an email that “at least one of the actors responsible” was a China-nexus hacking group, but noted that “multiple actors are now actively exploiting this vulnerability.”

Dozens of organizations have already been hacked, including across the government sector. The bug, regarded as a zero-day because the vendor — Microsoft, in this case — had no time to issue a patch before it was actively exploited. Microsoft has since rolled out patches for all affected versions of SharePoint, but security researchers have warned that customers running self-hosted versions of SharePoint should assume they have already been compromised.

A spokesperson for the Chinese Embassy in Washington D.C. did not immediately return a request for comment. The Chinese government has long rebuffed allegations that it has carried out cyberattacks, though it has not always explicitly denied its involvement.

This is the latest hacking campaign linked to China in recent years. Hackers backed by China were accused of targeting self-hosted Microsoft Exchange email servers in 2021 as part of a mass-hacking campaign. According to a recent Justice Department indictment accusing two Chinese hackers of masterminding the breaches, the so-called “Hafnium” hacks compromised contact information and private mailboxes from more than 60,000 affected servers.