The two critical flaws, tracked as CVE-2025-53770 and CVE-2025-53771, were initially patched by Microsoft on July 8 with partial fixes, but a more comprehensive emergency patch had to be released on July 22 following ongoing exploitation and mounting pressure from cybersecurity watchdogs.
Security researchers from Mandiant, in collaboration with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), reported that these vulnerabilities allowed attackers to execute remote code and install a malicious web shell disguised as a legitimate SharePoint file. This access enabled lateral movement within networks, theft of cryptographic MachineKeys, and persistent access—sometimes even surviving reboots and software updates.
What’s alarming is the nature and scope of these intrusions. Unlike random ransomware attacks, this campaign is surgical and focused, with a clear goal: stealing intellectual property and classified information. Linen Typhoon, for instance, has a long history of targeting defense contractors and aerospace firms. Violet Typhoon is known for going after think tanks, financial organizations, and universities engaged in cutting-edge research. Storm-2603, though less documented, is believed to have ransomware capabilities and may be evolving into an espionage tool for hire.
More than 54 organizations, including U.S. federal agencies, European tech firms, and research institutions in Asia, have already been identified as confirmed victims, though the true number may be much higher. Thousands of unpatched SharePoint servers remain vulnerable, making the threat both immediate and widespread.
Cybersecurity experts warn that even organizations who have already applied patches may still be at risk if attackers deployed backdoors or siphoned off credentials before the fixes. Microsoft and CISA have issued urgent guidance: isolate affected servers, rotate all cryptographic and authentication keys, and audit systems for unusual activity involving SharePoint.
China-Linked Hackers Target Microsoft SharePoint in Alarming Global IP Theft Campaign The two critical flaws, tracked as CVE-2025-53770 and CVE-2025-53771, were initially patched by Microsoft on July 8 with partial fixes, but a more comprehensive emergency patch had to be released on July 22 following... Read the full IIPLA article: https://iipla.org/news/china-hackers-sharepoint-ip-theft