In a significant escalation of cyber threats targeting enterprise software, Microsoft has attributed a series of ongoing attacks on its SharePoint platform to three sophisticated Chinese hacking groups.

The vulnerabilities, which enable remote code execution and data theft, have compromised numerous organizations worldwide, including U.S. government agencies and global businesses. This development underscores the persistent risks in on-premises server environments, where unpatched systems remain prime targets for state-sponsored actors.

The exploits center on critical flaws in SharePoint Server, identified as CVE-2025-53770 and CVE-2025-53771, allowing attackers to infiltrate networks without prior authentication. Microsoft confirmed that these zero-day vulnerabilities have been actively exploited since at least early July, affecting on-premises installations rather than cloud-based versions. According to reports from cybersecurity researchers, the attacks have led to data exfiltration and potential long-term persistence in victim networks.

Attribution to Chinese Groups

Microsoft’s threat intelligence team linked the operations to groups tracked as “Salt Typhoon,” “Flax Typhoon,” and “Granite Typhoon,” all believed to be affiliated with Chinese state interests. These actors have a history of targeting critical infrastructure and intellectual property, as detailed in a recent advisory. The company’s analysis, shared via its security blog, reveals how the hackers chained the vulnerabilities to deploy webshells and escalate privileges, facilitating broader network compromise.

This attribution aligns with broader patterns of Chinese cyber espionage, reminiscent of past campaigns like the SolarWinds hack. Industry experts note that SharePoint’s widespread use for document collaboration makes it an attractive vector, with over 250,000 organizations potentially exposed if not updated promptly.

Emergency Patches and Mitigation

In response, Microsoft rushed out emergency patches for most affected versions of SharePoint Server, including 2016 and 2019 editions, but one older variant remains vulnerable pending further fixes. The company urged immediate updates, emphasizing that cloud-hosted SharePoint Online is not impacted. As reported by The Hacker News, at least 54 victims have been confirmed, though the true scope may be larger given the stealthy nature of these intrusions.

Security firms like Wiz have provided detailed guidance on detecting these exploits, recommending network monitoring for anomalous traffic and the use of tools to scan for indicators of compromise. Their blog post highlights how CVE-2025-53770 enables initial access via deserialization flaws, while CVE-2025-53771 allows code execution, a potent combination for attackers.

Impact on Global Organizations

The fallout has rippled across sectors, with U.S. federal and state agencies among the hardest hit, as noted in coverage from The Washington Post. Researchers estimate around 100 organizations were compromised in the initial wave, including financial institutions and tech firms. This incident echoes the 2021 Microsoft Exchange hacks, also attributed to Chinese groups, raising questions about supply chain security.

For industry insiders, the key takeaway is the need for robust patch management and zero-trust architectures. Microsoft’s confirmation of active exploitation, detailed in a Forbes article, stresses that delays in updating can lead to catastrophic breaches. Cybersecurity leaders are now advocating for proactive threat hunting, as these groups continue to evolve their tactics.

Wider Implications for Cybersecurity

Beyond immediate fixes, this event highlights geopolitical tensions in cyberspace, with U.S. officials pointing to China’s aggressive digital operations. The Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts, updating guidance on related CVEs and urging federal entities to apply mitigations swiftly, per their official notice.

As attacks persist, enterprises must reassess their reliance on legacy systems. Microsoft plans enhanced monitoring for SharePoint users, but experts warn that without global cooperation, such vulnerabilities will continue to be weaponized by nation-states, perpetuating a cycle of exploitation and response in the digital arms race.