China-supported nation-state hackers identified as potential antagonists launching cyberattacks on Microsoft's SharePoint platform
A series of threat actor groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, have been discovered exploiting unpatched vulnerabilities in Microsoft's SharePoint servers. These vulnerabilities, tracked as CVE-2025-53770 and CVE-2025-53771, have been used to gain unauthorized access and execute remote code execution on internet-facing SharePoint deployments.
The exploitation began as early as July 7, compromising dozens of organizations worldwide. Targeted organizations include several governments, companies from various industries, and non-governmental organizations across the U.S., Europe, and East Asia.
Exploitation Mechanism
The vulnerabilities, which remain unpatched in targeted environments, have been leveraged by the threat actors to exploit internet-facing SharePoint servers. By injecting malicious payloads, these groups gain unauthorized access or execute code on the affected servers.
Impact and Potential Damage
The successful exploitation of these vulnerabilities grants attackers the ability to run arbitrary code on SharePoint servers, potentially escalating to full system compromise. Once inside, attackers can access sensitive files and data stored within SharePoint environments, and use compromised servers for further infiltration within corporate networks, enabling lateral movement and maintaining persistence.
Attackers could also disrupt SharePoint services, affecting business continuity. Previous observations suggest that Storm-2603 has used this access to deploy the Warlock and LockBit ransomware strains.
Threat Actor Profiles
Linen Typhoon and Violet Typhoon are known for their sophistication and targeting of critical infrastructure and enterprise systems. Storm-2600, too, has been linked to these CVEs, presumably with similar objectives of espionage or sabotage.
Mitigation and Defensive Measures
Early detection and patching of SharePoint vulnerabilities are crucial to defensive measures. Microsoft has already patched these vulnerabilities, assigning them new CVEs: CVE-2025-53770 and CVE-2025-53771, respectively. The Cybersecurity and Infrastructure Security Agency has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog.
Researchers at Palo Alto Networks have identified that hackers are using the SharePoint vulnerabilities to bypass multifactor authentication and single sign-on systems. Rapid7 has observed active exploitation of the SharePoint vulnerabilities in customer environments.
Organizations running unpatched Microsoft SharePoint servers should prioritize patching these vulnerabilities to mitigate the risks posed by these exploits, which range from confidential data theft to extensive operational disruption due to ransomware or destructive malware deployment.
- The recent exploitation of CVE-2025-53770 and CVE-2025-53771 vulnerabilities in Microsoft's SharePoint servers by threat actor groups like Linen Typhoon, Violet Typhoon, and Storm-2603, as reported in general-news and crime-and-justice sectors, has raised concerns about cybersecurity and technology.
- These vulnerabilities, left unpatched in targeted environments, can be potentially harmful as they allow cybercriminals to execute remote code execution and gain unauthorized access, as observed in the case of the ransomware deployment by Storm-2603.
- In the realm of cybersecurity, it is essential for organizations to prioritize patching these vulnerabilities to avoid the potential damage, including data theft and operational disruption due to ransomware or destructive malware, especially considering these exploits have been added to the Known Exploited Vulnerabilities catalog by the Cybersecurity and Infrastructure Security Agency (CISA).
