Google and Microsoft have both issued urgent security alerts about a newly discovered SharePoint zero-day exploit actively used by Chinese state-backed hacking groups. The flaw, tracked as CVE-2025-53770, affects on-premises Microsoft SharePoint servers and has already led to breaches in government agencies, universities, energy firms, and major corporations around the world.
🔍 What Is the SharePoint Zero-Day Exploit?
The vulnerability allows attackers to steal machine keys, giving them persistent access even after systems are patched. Microsoft identified the exploit earlier this month and released emergency patches for SharePoint Server Subscription Edition and 2019, while the 2016 version remains pending. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalog.
⚠️ Who Is Behind the Attacks?
According to both Microsoft and Google’s Mandiant, three hacking groups tied to the Chinese government are behind the exploit:
- Linen Typhoon (APT27)
- Violet Typhoon (APT31)
- Storm-2603 (a newer actor identified by Microsoft)
These groups have used the vulnerability to infiltrate SharePoint environments worldwide, particularly those in government and sensitive industries.
🧭 How Big Is the Impact?
Security experts say that tens of thousands of SharePoint servers remain vulnerable. Reports from Eye Security and Palo Alto Networks confirm over 50 major breaches so far. What makes this attack especially dangerous is the persistence—stolen cryptographic keys enable hackers to regain access even after a system is patched.
🛡 What Should Organizations Do?
Microsoft recommends immediate action:
- Apply the latest patches for affected SharePoint editions.
- Rotate cryptographic MachineKeys and restart IIS.
- Enable Microsoft Defender Antivirus with full mode Antimalware Scan Interface (AMSI).
- Disconnect vulnerable SharePoint servers from the internet until updated.
- Scan for indicators of compromise using Microsoft Defender and Azure Sentinel.
Organizations must act fast to avoid long-term data theft or ransomware infiltration.
🌍 Why This Matters Globally
This SharePoint zero-day exploit highlights the geopolitical nature of modern cyberattacks, with China-backed groups increasingly targeting critical infrastructure. It also reinforces the risks of running legacy on-premises systems over more secure cloud environments like Microsoft 365, which remains unaffected.
