Microsoft Warns of Chinese State-Backed Hackers Exploiting SharePoint Vulnerabilities

• Chinese hacking groups Linen Typhoon, Violet Typhoon, and Storm-2603 exploited critical SharePoint vulnerabilities since July 7.
• Microsoft issued urgent patches, but on-premises servers remain at risk; SharePoint Online is unaffected.
• The U.S. CISA has mandated federal agencies to patch systems immediately amid escalating cyber tensions with China.

Chinese Hackers Target Microsoft SharePoint Servers

Microsoft has disclosed that state-backed Chinese hacking groups—including Linen Typhoon, Violet Typhoon, and Storm-2603—have been actively exploiting critical vulnerabilities (CVE-2025-53770 and CVE-2025-53771, collectively known as "ToolShell") in on-premises SharePoint servers since early July. The flaws allow unauthenticated access, remote code execution, and full file system infiltration, posing severe risks to government agencies, telecoms, and financial institutions, particularly in North America and Western Europe.

Microsoft released emergency patches by July 21 and urged customers to update immediately, though public proof-of-concept exploit code has heightened the threat landscape. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) escalated warnings over the weekend, adding the vulnerabilities to its known exploited catalog and mandating federal agencies to patch without delay. Notably, SharePoint Online, part of Microsoft 365, remains unaffected.

Geopolitical and Industry Implications

The attacks underscore worsening U.S.-China cyber tensions, following the March 2025 indictment of Chinese nationals tied to APT27 (Linen Typhoon). Analysts warn of potential retaliatory measures as exploitation continues. Meanwhile, the incident has accelerated corporate migration from on-premises systems to cloud platforms, with Microsoft’s Azure and 365 offerings likely to benefit despite short-term reputational risks.

"The speed of exploitation mirrors past APT campaigns, but the public release of exploit code raises the stakes," said one cybersecurity analyst familiar with the matter. Microsoft has not commented on whether the breaches affected customer data, but sources confirm targeted organizations are conducting forensic audits.

Urgency for Unpatched Systems

Security experts predict prolonged attacks against unpatched servers, with financially motivated groups now leveraging the vulnerabilities. Regulatory bodies may impose stricter vulnerability disclosure rules, while enterprises face pressure to reassess legacy IT infrastructure. Microsoft’s recent cloud growth could offset fallout, but the episode highlights persistent risks in hybrid IT environments.