Google, Microsoft say Chinese hackers are exploiting SharePoint zero-day
In a significant cybersecurity alert, technology giants Google and Microsoft have confirmed that state-sponsored Chinese hacking groups are actively exploiting a critical zero-day vulnerability within Microsoft SharePoint. This widespread exploitation, identified as CVE-2025-53770, allows attackers to compromise self-hosted versions of SharePoint, a platform widely used by organizations globally for internal document management.
Discovered just last weekend, the flaw enables hackers to steal sensitive private keys, which can then be leveraged to plant malware, gain unauthorized access to stored files and data, and potentially infiltrate other systems on the same network. The severity of the vulnerability has prompted an urgent call for organizations to patch their systems, with many already scrambling to secure their digital infrastructure.
Microsoft’s security teams, detailed in a recent blog post, have identified at least two previously known China-backed hacking groups, “Linen Typhoon” and “Violet Typhoon,” engaging in these exploits. Linen Typhoon is primarily associated with intellectual property theft, while Violet Typhoon is known for espionage and the acquisition of private information. Furthermore, Microsoft linked a third, less understood China-backed group, “Storm-2603,” to the ongoing attacks, noting its past involvement in ransomware campaigns.
According to Microsoft’s observations, these sophisticated hacking groups commenced exploiting the SharePoint zero-day vulnerability as early as July 7. This early start indicates a high level of preparation and coordination by the attackers.
Echoing these concerns, Charles Carmakal, Chief Technology Officer at Google’s incident response unit Mandiant, confirmed in a statement to TechCrunch that “at least one of the actors responsible” is a China-nexus hacking group. He further cautioned that “multiple actors are now actively exploiting this vulnerability,” underscoring the broad threat landscape.
Dozens of organizations have reportedly fallen victim to these attacks, including several within the government sector, as highlighted by security researchers. A zero-day vulnerability signifies that the vendor, in this case, Microsoft, had no opportunity to issue a patch before the flaw was actively exploited in the wild. While Microsoft has since rolled out patches for all affected SharePoint versions, security experts advise organizations running self-hosted SharePoint instances to operate under the assumption that they may have already been compromised.
In response to the allegations, Liu Pengyu, a spokesperson for the Chinese Embassy in Washington, D.C., stated that China “firmly opposes and combats all forms of cyber attacks and cyber crime — a position that is consistent and clear.” The Chinese government has consistently denied accusations of state-sponsored cyberattacks, though its statements often avoid explicit denials of specific incidents.
This incident marks the latest in a series of sophisticated hacking campaigns linked to China. Notably, Chinese-backed hackers were previously accused of orchestrating mass breaches against self-hosted Microsoft Exchange email servers in 2021. This campaign, known as “Hafnium,” compromised contact information and private mailboxes from over 60,000 servers, as detailed in a recent Justice Department indictment that accused two Chinese hackers of masterminding the operation.
