Chinese-suspected hackers allegedly breached Microsoft's SharePoint systems, according to the tech giant's assertion.
In a significant cybersecurity development, Chinese-linked hacking groups have been actively exploiting critical vulnerabilities in Microsoft on-premises SharePoint servers. These vulnerabilities, primarily CVE-2025-49704 and CVE-2025-49706, pose a severe risk due to SharePoint’s integration with Microsoft’s broader ecosystem like Office, Teams, and OneDrive.
CVE-2025-49706 is an authentication bypass vulnerability that allows unauthorized access by manipulating HTTP headers. CVE-2025-49704, on the other hand, is an unsafe deserialization flaw that enables attackers to remotely execute PowerShell or other commands on the server after bypassing authentication.
Attackers have used these vulnerabilities to deploy stealthy payloads, extracting cryptographic machine keys from SharePoint’s configuration, enabling persistence and lateral movement without triggering typical detection mechanisms.
Microsoft released initial fixes for these vulnerabilities on July 9, 2025. However, attackers quickly developed bypass variants, leading to the assignment of two new CVEs: CVE-2025-53770 and CVE-2025-53771. CVE-2025-53770 is a variant of the unsafe deserialization RCE allowing remote code execution without authentication, while CVE-2025-53771 is a server spoofing vulnerability facilitating further exploitation.
Microsoft has released security updates to address these new vulnerabilities, but active exploitation continues, mainly targeting on-premises SharePoint Server customers. SharePoint Online in Microsoft 365 remains unaffected.
Cybersecurity firms tracking the active campaigns exploiting these vulnerabilities at scale have attributed these attacks to Chinese-nexus hacking groups. Microsoft has identified several such groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, targeting on-premises SharePoint servers.
Organizations running on-premises SharePoint servers are strongly urged to apply Microsoft’s July 2025 security updates immediately to mitigate active exploitation by sophisticated threat actors, including Chinese-nexus groups. Microsoft advises rotating ASP.NET machine keys, restarting Internet Information Services (IIS), and deploying Microsoft Defender for Endpoint.
Meanwhile, in a separate development, Qualcomm aims for smart glasses to become as important as phones, as stated at Snapdragon XR Day 2025. This news does not pertain to the previously mentioned Microsoft SharePoint server vulnerabilities or their solutions.
Ayushi Jain, a tech news writer, combines her passion for tech and gaming to bring the latest news in both fields.
[1] Microsoft Tech Community, "Microsoft July 2025 Security Updates for SharePoint Server", [link] [2] ZDNet, "Microsoft patches critical SharePoint Server vulnerabilities under active attack", [link] [3] The Hacker News, "Chinese-nexus hacking groups exploit SharePoint server vulnerabilities at scale", [link] [4] BleepingComputer, "Microsoft advises rotating ASP.NET machine keys to mitigate SharePoint server attacks", [link]
- In light of the continued active exploitation of critical vulnerabilities in Microsoft's on-premises SharePoint servers, especially CVE-2025-49704 and CVE-2025-49706, the general-news continues to cover the story, with cybersecurity firms attributing the attacks to Chinese-nexus hacking groups like Linen Typhoon, Violet Typhoon, and Storm-2603.
- As the technology landscape evolves, politics plays a significant role in cybersecurity, as evident in the targeting of on-premises SharePoint servers by Chinese-nexus groups, and organizations are advised to promptly apply Microsoft's July 2025 security updates to combat the ongoing threats.
