Several hacking groups with ties to the Chinese government have been linked to a recent wave of widespread attacks targeting a Microsoft SharePoint zero-day vulnerability chain.
They used this exploit chain (dubbed "ToolShell") to breach dozens of organizations worldwide after hacking into their on-premise SharePoint servers.
"Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers," Microsoft said in a Tuesday report. "In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing."
"We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor. It's critical to understand that multiple actors are now actively exploiting this vulnerability," Charles Carmakal, CTO of Google Cloud's Mandiant Consulting, told BleepingComputer yesterday.
On Friday, Dutch cybersecurity firm Eye Security first spotted zero-day attacks exploiting the CVE-2025-49706 and CVE-2025-49704 vulnerabilities (first demoed during the Berlin Pwn2Own hacking contest by Viettel Cyber Security researchers).
The company told BleepingComputer that at least 54 organizations had already been compromised, including several multinational companies and national government entities.
Cybersecurity firm Check Point also revealed on Monday that it discovered the first signs of exploitation on July 7th, adding that the attackers targeted dozens of entities across the government, telecommunications, and software sectors in North America and Western Europe.
Microsoft patched the two flaws as part of the July Patch Tuesday updates and assigned two new CVE IDs (CVE-2025-53770 and CVE-2025-53771) over the weekend for zero-days used by threat actors to compromise fully patched SharePoint servers. Since then, it released emergency patches for SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016 to address both RCE flaws.
PoC exploit now available
This week, after Microsoft released security patches for all impacted SharePoint versions, a CVE-2025-53770 proof-of-concept exploit was also released on GitHub, making it easier for more threat actors and hacking groups to join ongoing attacks.
... continue reading