Microsoft has raised a red flag over a critical zero-day vulnerability in its SharePoint software, warning that multiple China-backed hacking groups have been exploiting the flaw since early July. Designated CVE-2025-53770, the vulnerability allows attackers to steal security keys and deploy malware remotely on self-hosted SharePoint servers, posing a severe risk to corporations, government agencies, and academic institutions worldwide.
According to Microsoft, at least three advanced persistent threat (APT) groups — Linen Typhoon, Violet Typhoon, and Storm-2603 — have used the exploit to steal data, carry out espionage, and establish backdoor access into broader internal networks. The tech giant advised organizations running self-hosted SharePoint to assume they’ve been compromised and conduct thorough forensic checks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the flaw allows remote code execution and deep server access.
Microsoft has since released patches covering all supported SharePoint versions affected by CVE-2025-53770 and a related vulnerability, CVE-2025-53771. It urged all users to apply the updates immediately to prevent further exploitation. Experts say thousands of systems globally may still be vulnerable, including those used by critical sectors such as energy and education.
This latest breach echoes the 2021 “Hafnium” campaign, when Chinese state-linked hackers targeted Microsoft Exchange servers. That attack reportedly compromised over 60,000 servers, prompting global outcry. While China continues to reject accusations of cyber espionage, Microsoft maintains high confidence that these threat actors will persist in targeting unpatched systems.