Microsoft on Tuesday said it has identified two experienced Chinese government-backed threat groups exploiting a recently disclosed vulnerability in its SharePoint servers.
The groups, which Microsoft calls Linen Typhoon and Violet Typhoon, are among the many hackers trying to penetrate computer networks running SharePoint by using a spoofing vulnerability, tracked as CVE-2025-49706, and a remote code execution vulnerability, tracked as CVE-2025-49704. (Microsoft has patched the vulnerabilities, which it assigned the new CVEs CVE-2025-53770 and CVE-2025-53771, respectively.)
A third China-linked actor, tracked as Storm-2603, is also exploiting the vulnerabilities, Microsoft said.
An executive from Google’s Mandiant division also confirmed on Monday that a China-linked hacker team is among the growing number of actors capitalizing on the SharePoint flaws.
The Cybersecurity and Infrastructure Security Agency on Sunday added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog.
Microsoft said hackers began exploiting the flaws as early as July 7 to gain initial footholds into targeted organizations.
The attacks have compromised dozens of organizations worldwide, including several governments and companies in a wide range of industries.
Researchers at Palo Alto Networks said hackers are using the flaws to bypass multifactor authentication and single sign-on systems and gain privileged access into systems, allowing them to deploy persistent backdoors, take sensitive data and steal cryptographic keys.
Rapid7 also said it has observed active exploitation in customer environments.
Linen Typhoon, which first surfaced in 2012, has used existing exploits to steal intellectual property, targeting government, defense industries and strategic planning organizations, according to Microsoft.
Violet Typhoon, which has been operating since 2015, has targeted government and military officials, non-government organizations, higher education, digital and print media, financial firms and healthcare organizations in the U.S., Europe and East Asia, the company said. The group normally scans exposed web infrastructure for vulnerabilities before installing web shells.
Researchers have observed Storm-2603 stealing machine keys through vulnerabilities in on-premises SharePoint servers. The threat actor has previously used this access to deploy the Warlock and LockBit ransomware strains. Microsoft said it did not yet understand the group’s current goals.
Microsoft said it was still investigating exploitation by other threat actors and warned that more hackers would integrate the new vulnerabilities into their attacks on unpatched on-premises SharePoint servers.
