DigitalXRAID

Threat Intelligence: Microsoft’s SharePoint Hacked by Chinese Threat Actor 

Microsoft has issued an urgent warning to all businesses running on-premises versions of SharePoint Server, after confirming a cyberattack campaign by Chinese state-backed threat groups. The attackers have exploited two critical vulnerabilities – CVE-2025-53770 and CVE-2025-53771 – to gain access to sensitive documents and cryptographic key material, enabling persistent access to compromised systems. 

Table of Contents

Key Takeaways 

  • Microsoft confirms Chinese threat actors exploited two zero-day vulnerabilities in on-premises SharePoint servers 
  • State-backed groups Linen Typhoon, Violet Typhoon and Storm-2603 are believed to be responsible 
  • Cloud-based SharePoint Online is unaffected 
  • DigitalXRAID urges all organisations using on-prem SharePoint to patch immediately and verify system integrity 

Information about the Microsoft SharePoint Hack

The attacks have targeted organisations across multiple sectors and geographies, including the UK. Although the cloud based SharePoint Online service remains unaffected, any organisation running on-prem SharePoint is now considered at risk. 

Who’s behind the attack? 

Microsoft has attributed the campaign to three China-based threat actors: 

  • Linen Typhoon – Known for long term cyber espionage targeting government, defence, and human rights organisations 
  • Violet Typhoon – Focused on intelligence gathering from NGOs, think tanks, academia, media, and healthcare sectors 
  • Storm-2603 – Assessed with medium confidence to be China based, involved in broad exploitation activity 

The groups are exploiting vulnerabilities in SharePoint’s server software to extract key material, enabling them to decrypt and access confidential documents.  

According to Microsoft, this activity has occurred across multiple sectors and regions, including Europe, with victims reportedly spanning governments, businesses, and strategic industries. 

Technical Details: CVE-2025-53770 and CVE-2025-53771 

The vulnerabilities lie within the handling of requests to on-premises SharePoint servers. Exploiting these allows an attacker to gain access to encryption keys and escalate privileges. Microsoft has released patches addressing both CVEs, and any system that remains unpatched is at ongoing risk. 

Affected Versions 

The following SharePoint Server products are vulnerable: 

  • SharePoint Server 2016 (Build 16.0.x.x) 
  • SharePoint Server 2019 (Build 16.0.10xxx.x) 
  • SharePoint Server Subscription Edition (Build 16.0.15xxx.x or higher) 
  • SharePoint Server 2013 and 2010 (both end-of-support) 

Non-affected products include: 

  • SharePoint Online (cloud-based service) 

Identifying Your Version 

To determine your current SharePoint build version, run the following PowerShell command: 

Get-SPFarm | Select-Object BuildVersion, Products 

Alternatively, access SharePoint Central Administration, navigate to System Settings > Manage servers in this farm to view your version. 

DigitalXRAID’s SOC Recommendations 

Threat intelligence specialists from DigitalXRAID’s Security Operations Centre (SOC) team have issued the following steps for any organisation running on-prem SharePoint: 

Immediate Actions: 

  • Apply Microsoft’s security updates without delay 
  • Confirm successful patch installation 
  • Conduct a full review of access logs for suspicious activity 

Priority Systems: 

  • Any internet facing SharePoint instances should be prioritised 
  • Systems allowing external user access need urgent attention 
  • Monitor for indicators of compromise across all affected infrastructure 

Patch Verification: 

Use the following PowerShell command to ensure the patch is installed: 

Get-SPProduct -Local | Format-Table DisplayName, Version 

Also, ensure updated build numbers are documented and test critical functionality post patch. 

Why This Matters 

This campaign demonstrates the strategic value threat actors place on collaboration and document sharing platforms. While Microsoft continues its investigation, businesses must assume compromise until patches are fully applied, and systems are verified. As these actors are known for long term, stealthy operations, early action is critical to minimising damage and continuing vigilance and monitoring are recommended.  

Need Help? 

DigitalXRAID’s CREST and NCSC accredited team of Threat Intelligence and Incident Response specialists are monitoring the situation closely. If you’re unsure whether your systems are at risk, or if you need help assessing and mitigating the threat, our team is here to support you. 

If you believe you’ve been breached and are under active attack, please contact the cyber emergency line as soon as possible. You can bookmark this page for future protection.  

Get in touch with us today to assess your exposure and secure your environment. 

Previous Article

Enhancing Threat Detection with Microsoft Defender Experts for XDR

Next Article

What Is MDR? How It Differs from EDR and XDR Explained Clearly

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

cybersecurity experts
x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]
DigitalXRAID
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.