Microsoft has confirmed that several Chinese state-backed hacking groups—Linen Typhoon, Violet Typhoon, and Storm-2603—are exploiting critical vulnerabilities in on-premises SharePoint servers.

The disclosure follows reports of over 100 global organizations being breached, with Microsoft now linking the attacks to specific zero-day flaws: CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution bug. These exploits are related to earlier disclosed issues, CVE-2025-53770 and CVE-2025-53771. In response, Microsoft has issued urgent security patches for all supported versions of SharePoint, including SharePoint 2016, 2019, and the Subscription Edition.

According to Microsoft's Threat Intelligence unit, the threat actors are leveraging specially crafted POST requests targeting the ToolPane endpoint to gain unauthorized access and deploy web shells. Linen Typhoon, formerly known as Hafnium, has a history of targeting government, defense, and academic institutions, notably during the Microsoft Exchange ProxyLogon attacks. Violet Typhoon, previously APT41, is known for espionage and financially motivated intrusions, frequently exploiting supply chains and backdooring software. Storm-2603, a newly tracked group suspected to be China-linked, has used ransomware in the past, but their current intent appears focused on long-term access and data theft via SharePoint.

The cyberattacks began as early as July 7, 2025, and involve stealing critical IIS Machine Keys to bypass authentication, even after systems are patched. Microsoft and threat intelligence partners, including CrowdStrike and Shadowserver Foundation, have reported hundreds of attempted breaches across more than 160 environments. With over 9,000 SharePoint IPs exposed daily, Microsoft urges all organizations using on-premises SharePoint to immediately apply the latest updates and conduct a thorough security review to detect potential compromise.