They used this exploit chain (dubbed “ToolShell”) to breach dozens of organizations worldwide after hacking into their on-premise SharePoint servers.
“Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers” Microsoft said in a Tuesday report.
“In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing.”
Microsoft reported: On July 19, 2025, Microsoft Security Response Center (MSRC) published a blog addressing active attacks against on-premises SharePoint servers that exploit CVE-2025-49706, a spoofing vulnerability, and CVE-2025-40704, a remote code execution vulnerability.
These vulnerabilities affect on premises SharePoint servers only and do not affect the SharePoint Online in Microsoft 365. Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. Customers should apply these updates immediately to ensure they are protected.
These comprehensive security updates address newly disclosed security vulnerabilities in CVE-2025-53770 that are released to the previously disclosed vulnerability CVE-2025-49704. The updates also address the security bypass vulnerability CVE-2025-53771 for the previously disclosed CVE-2025-49706.
TechCrunch reported: Security researchers at Google and Microsoft say they have evidence that hackers backed by China are exploiting a zero-day bug in Microsoft SharePoint, as companies around the world scramble to patch the flaw.
The bug, known officially as CVE-2025-53770 and discovered last weekend, allows hackers to steal sensitivity private keys from self-hosted versions of SharePoint, a software server widely used by companies and organizations to store and share internal documents. Once exploited, an attacker can use the bug to remotely plant malware and gain access to the files and data stored within, as well as gain access to other systems on the same network.
In a blog post on Tuesday, Microsoft said it had observed at least two previously identified China-backed hacking groups it calls “Linen Typhoon” and “Violet Typhoon” exploiting the SharePoint zero-day. Microsoft says Linen Typhoon is focused on stealing intellectual property, while Violet Typhoon steals private information to be used for espionage.