Microsoft has announced that Chinese state-sponsored threat actors are actively exploiting a dangerous new zero-day vulnerability in SharePoint Server, as reported by Google Cloud’s Mandiant and others.
According to Microsoft, two threat actors named Linen Typhoon and Violet Typhoon are targeting internet-facing SharePoint instances. Additionally, a group known as Storm-2603 is also working on exploits. Microsoft is investigating other actors using the vulnerabilities and expects them to be integrated into future attacks.
A Microsoft spokesperson informed Computer Weekly that comprehensive security updates have been released for all supported versions of SharePoint Server to protect against these vulnerabilities. Customers are advised to apply these updates immediately to ensure their protection.
The vulnerabilities in question, CVE-2025-53770 and CVE-2025-53771, bypass previously disclosed flaws and enable full remote code execution on all supported versions of SharePoint Server.
Microsoft has identified attempted exploits against the vulnerabilities on or around 7 July 2025, based on known tactics used by Linen Typhoon, Violet Typhoon, and Storm-2603.
Typhoon blowing in
Microsoft’s threat actor naming system categorizes threat actors based on meteorological events for easier recognition and understanding. In this system, China-nexus threat activity is classified under Typhoon.
Linen Typhoon, active since 2012, focuses on stealing intellectual property from organizations linked to government, defense, and human rights. On the other hand, Violet Typhoon, operating since 2015, targets ex-government and military personnel, NGOs, think-tanks, and various other organizations for espionage purposes.
Meanwhile, Storm-2603, potentially a Chinese threat actor, is associated with attempts to steal machine keys via the SharePoint vulnerabilities. It has also been observed as a ransomware affiliate for groups like LockBit.
Microsoft emphasizes the need for users to patch their systems to prevent further exploitation of the SharePoint vulnerabilities by additional threat actors.
