Amid escalating cybersecurity threats, two Chinese government-backed hacking groups, Linen Typhoon and Violet Typhoon, have been implicated in a significant breach of self-hosted SharePoint servers, beginning in early July 2025.
Cybersecurity experts confirmed that the attacks exploited vital vulnerabilities in on-premises SharePoint environments, particularly the remote code execution vulnerability (CVE-2025-49704) and a spoofing vulnerability (CVE-2025-49706). These flaws have affected numerous entities globally, compromising dozens of organizations ranging from U.S. federal and state agencies to universities and energy corporations. A zero-day vulnerability exploit identified as CVE-2025-53770 has been actively exploited since July 7, 2025, further highlighting the severity of the situation. Additionally, multiple hacking groups have been identified with ties to the Chinese government, raising alarm over state-sponsored cyber activities.
Cybersecurity experts confirm exploitation of critical vulnerabilities in SharePoint, impacting U.S. agencies, universities, and energy firms globally.
The incidents reveal a sophisticated approach by the attackers to utilize zero-day vulnerabilities, enabling them to bypass multifactor authentication (MFA) systems. By executing remote code, the hackers gained access to sensitive data, allowing them to plant malware and establish persistent backdoors. Strikingly, the theft of machine keys has raised concerns about re-entry possibilities even after emergency patches were released to address the vulnerabilities. Experts recommend implementing two-factor authentication as an essential defensive measure against such sophisticated attacks.
Notably, the Cybersecurity and Infrastructure Security Agency (CISA) has documented these vulnerabilities in its Known Exploited Vulnerabilities catalog to improve awareness and preventive measures. In spite of Microsoft’s rapid response in issuing patches, the overarching risks of machine key compromise continue to pose significant challenges. Security researchers are now vigilant, tracking secondary exploitation issues related to the initial breaches.
The broader implications of this hacking campaign encompass the espionage motivations driving Linen Typhoon and Violet Typhoon’s activities. Linen Typhoon appears focused on acquiring intellectual property essential for bolstering China’s economic and technological ambitions, whereas Violet Typhoon targets strategic government and private sector information for espionage.
There is additionally a less understood group, Storm-2603, whose mixed activities include potential ransomware deployments, thereby amplifying risks across multiple sectors.
The scale and coordination of these attacks underline pressing operational security concerns, as targeted industries struggle to manage the aftermath of a coordinated global cyber operation.
