Google, Microsoft say Chinese hackers are exploiting SharePoint zero-day

Security experts from Google and Microsoft have revealed alarming evidence of Chinese-backed hackers exploiting a critical zero-day vulnerability in Microsoft SharePoint. This vulnerability, identified as CVE-2025-53770, allows attackers to extract sensitive private keys from self-hosted SharePoint instances, which are widely utilized by organizations for document storage and sharing. Once this vulnerability is exploited, attackers can remotely deploy malware and access not only the stolen files but also other systems connected to the same network. In a recent blog post, Microsoft reported that two hacking groups, known as "Linen Typhoon" and "Violet Typhoon," have been observed taking advantage of this flaw. The former focuses on intellectual property theft, while the latter is known for stealing private information for espionage purposes. Additionally, Microsoft identified another hacker group, "Storm-2603," which has a history of involvement in ransomware attacks, although less is known about their operations. Investigations have indicated that these groups have been exploiting the zero-day vulnerability since July 7, with numerous organizations, including entities in the government sector, falling victim to their attacks. Charles Carmakal, the CTO at Google’s incident response team Mandiant, emphasized that at least one of the attackers is linked to a Chinese hacking group, with multiple actors now actively utilizing this vulnerability. Microsoft has issued patches for all affected SharePoint versions; however, security experts caution that organizations running self-hosted SharePoint should consider themselves compromised. The Chinese Embassy in Washington D.C. has not responded to requests for comments on this issue, although the Chinese government has consistently denied involvement in cyberattacks despite previous allegations. This incident is the latest in a series of hacking campaigns attributed to China, including past attacks on Microsoft Exchange servers in 2021, which affected over 60,000 servers and compromised sensitive data.