Widespread cyberattacks targeting Microsoft SharePoint servers have disrupted hundreds of organizations across the globe in recent days, raising concerns among cybersecurity experts. Coordinated activity by China-affiliated threat groups has complicated incident response efforts, notably as both espionage-focused actors and opportunistic attackers have exploited previously unknown vulnerabilities. Organizations in sectors including government, finance, and health have been affected. As businesses increasingly rely on Microsoft products, the implications of such coordinated campaigns are amplified, especially where critical infrastructure is concerned.
Earlier incidents involving SharePoint exploited similar vulnerabilities, but the latest wave reflects more sophisticated targeting and larger impact. Previous campaigns were often limited to narrower sectors or used less aggressive exploitation methods. On this occasion, a broader array of threat actors, including nation-state groups and unaffiliated attackers, have rapidly integrated the new vulnerabilities into their tactics, enabling widespread unauthorized access.
How Are the SharePoint Zero-Days Being Exploited?
Microsoft analysts have identified that the groups Linen Typhoon and Violet Typhoon, both believed to be linked to Chinese state interests, along with another actor dubbed Storm-2603, are leveraging zero-day vulnerabilities CVE-2025-53770 and CVE-2025-53771 in on-premises SharePoint deployments. The vulnerabilities, which are variations of flaws previously addressed earlier in July, allow attackers to bypass security measures and infiltrate organizational networks. Researchers note that exploitation began soon after the flaws’ discovery, spreading quickly across sectors.
Which Organizations Face the Highest Risk?
Entities spanning the public and private sectors face heightened threats, with researchers documenting incidents involving government agencies, defense contractors, academia, and several critical infrastructure providers. Microsoft underscored that unpatched systems are particularly at risk, warning that,
“with the rapid adoption of these exploits, threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems.”
In addition to initial compromises, attackers have sought to steal cryptographic MachineKeys, potentially maintaining access even after updates are applied.
Can the Spread of These Attacks Be Contained?
Microsoft responded to the discovery by deploying emergency patches for all supported SharePoint versions. Authorities such as the Cybersecurity and Infrastructure Security Agency reacted quickly, issuing public alerts and adding the vulnerabilities to their known exploited catalog. Security teams are prioritizing patching and incident response to contain ongoing breaches. As observed in other ransomware and espionage-focused campaigns, mitigation is complicated by the involvement of multiple actor groups and the speed at which exploits are adapted.
Investigation of each group’s methods reveals targeted objectives: Linen Typhoon, known since 2012, has emphasized data theft from strategic and governmental targets, whereas Violet Typhoon has focused on gathering information from political, academic, and health sectors, especially in the United States, Europe, and East Asia. Storm-2603, tracked as a developmental actor, pursues cryptographic keys to remain inside victim networks even after patches. All groups scan for exposed web infrastructure and exploit security gaps to deploy persistent footholds, increasing the challenge for defenders.
The recent surge in attacks against Microsoft SharePoint highlights persistent gaps in critical software defense, especially in widely deployed on-premises solutions. Staying current with security patches significantly reduces exposure to cyber threats, yet delayed patch cycles and insufficient monitoring can leave organizations vulnerable even post-disclosure. Attackers’ motivations range from espionage and intellectual property theft to broader opportunistic gain. Through rapid patch deployment, consistent monitoring, and robust response planning, organizations can minimize risk, though continued vigilance is essential as threat actors adapt to new defenses. Decision-makers should prioritize inventorying exposed systems, routinely test emergency response procedures, and remain alert for signs of lateral movement or credential misuse.
