ultimateimp – Microsoft has confirmed that Chinese hacking groups are actively exploiting a vulnerability in its SharePoint software, widely used in business and government systems. Although Microsoft released a security patch, it reports that three China-based threat actors have already used the flaw to target internal SharePoint servers.
Two of the groups, known as Linen Typhoon and Violet Typhoon, are state-backed espionage teams focused on data theft and surveillance. A third group, Storm-2603, is also believed to be based in China and has launched attacks using the same vulnerability. Microsoft says it is still investigating additional actors potentially involved in similar activity.
The flaw allows attackers to execute rogue code remotely on a vulnerable SharePoint server. From there, they can install backdoors, gain unauthorized access, and hijack systems. This creates a high risk for organizations that rely on SharePoint to manage confidential files and integrate with tools like Microsoft Outlook. Microsoft’s warning comes alongside alerts from other cybersecurity vendors, including Check Point, which reports dozens of attempts to compromise servers. These attacks have mainly targeted sectors such as government, telecommunications, and software in North America and Western Europe.
Researchers discovered that hackers were exploiting the flaw as early as July 7, nearly two weeks before the wider cybersecurity community became aware of the mass exploitation. The flaw affects thousands of SharePoint-related IP addresses. Over 9,000 servers may be exposed if not patched. Microsoft initially released a fix for SharePoint Subscription Edition and SharePoint Server 2019. A patch for SharePoint 2016 followed shortly afterward. The company confirmed that SharePoint Online in Microsoft 365 remains unaffected.
Microsoft Urges SharePoint Users to Patch Systems Immediately
Microsoft is urging all customers running SharePoint on-premises to apply the latest security updates immediately. Unpatched servers are at significant risk of compromise, particularly in high-value sectors handling sensitive data. The vulnerability, if left unaddressed, can give attackers remote access to core systems. This can lead to stolen data, surveillance, or deeper breaches into connected infrastructure. Microsoft emphasized that this flaw is currently under active exploitation by advanced persistent threat groups. The company’s latest security advisory includes technical details and indicators of compromise to help system administrators detect intrusions. These indicators include suspicious process activity, unusual network behavior, and unexpected modifications to SharePoint system files.
Read More : OpenAI Advances Collaboration Talks with UK Government
The fast and coordinated response by Microsoft demonstrates the growing urgency in protecting enterprise platforms from targeted state-sponsored attacks. Their security teams continue to monitor exploitation patterns and provide updates to impacted users. While Microsoft has closed the vulnerability through patches, organizations must remain vigilant. System audits, updated endpoint defenses, and continuous monitoring are essential in preventing future breaches. Companies are also encouraged to follow cybersecurity best practices, such as limiting external access and isolating critical servers. This incident reinforces a broader cybersecurity concern: even widely trusted platforms can become entry points for sophisticated attacks. Enterprises relying on SharePoint must act quickly to secure their infrastructure and minimize risk. Microsoft continues to coordinate with industry partners to track and contain the threat landscape.
