"China-supported nation-state hackers identified as among the entities attempting to breach SharePoint platforms, according to Microsoft"
A critical zero-day vulnerability, CVE-2025-53770, has been actively exploited since mid-July 2025, targeting on-premises Microsoft SharePoint servers. This vulnerability allows unauthenticated remote code execution (RCE) and has been exploited by sophisticated threat actors, including Chinese government-backed groups like Linen Typhoon, Violet Typhoon, and Storm-2603.
Widespread Exploitation and Impact
The exploitation of this vulnerability has been widespread, affecting government agencies, multinational corporations, and banking sectors globally. Real-world attacks have been reported starting from July 17-18, 2025. The vulnerability enables attackers to access all content, file systems, and further pivot into integrated Microsoft platforms, significantly expanding the scope and sensitivity of the breach.
Remediation and Current Status
Microsoft acknowledged the issue on July 19, 2025, and released patches for SharePoint Subscription Edition and 2019 versions by July 20. However, SharePoint 2016 remained unpatched at the time of reports. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its Known Exploited Vulnerabilities Catalog, requiring U.S. federal agencies to patch by July 21, 2025.
In unpatched environments, defenders are recommended to enable Microsoft Defender for Endpoint protections and configure Antimalware Scan Interface (AMSI) to mitigate exploitation attempts. Managed detection services like Arctic Wolf and Palo Alto’s Unit 42 have actively monitored and detected ongoing exploitation and post-exploitation activity linked to these campaigns.
Threat Groups Involved
Linen Typhoon, Violet Typhoon, and Storm-2603 are known Chinese state-sponsored actors specializing in espionage and advanced persistent threats. They have been using vulnerabilities like CVE-2025-53770 to infiltrate high-value targets via SharePoint servers, which form a critical collaboration and document repository within target networks.
Conclusion
CVE-2025-53770 currently represents a highly impactful, actively exploited attack vector against Microsoft SharePoint on-premises servers. It allows unauthorized access, remote code execution, and potentially compromises entire organizational networks. Immediate patching and enhanced endpoint detection remain essential mitigations.
Cybersecurity experts are urging organizations to prioritize patching their on-premises Microsoft SharePoint servers to address the ransomware threat from the actively exploited vulnerability, CVE-2025-53770. This zero-day vulnerability, if left unpatched, enables threat actors like Linen Typhoon, Violet Typhoon, and Storm-2603 to execute malicious code and potentially compromise entire networks, causing significant damage. The vulnerability was added to the General-news and Crime-and-justice categories due to its wide-ranging impact and the high-stakes nature of the attacks.
Moreover, cybersecurity professionals are actively monitoring the ongoing exploitation and post-exploitation activity connected to these campaigns, as reported in crime and justice news. Threat intelligence units like Arctic Wolf and Palo Alto’s Unit 42 are working tirelessly to counteract these advanced persistent threats and help organizations stay protected.
In light of the growing impact and ongoing exploitation of this ransomware threat, it is crucial for organizations to fortify their cybersecurity measures, patch their SharePoint servers, and vigilantly monitor for any unusual activity related to CVE-2025-53770.
