As Microsoft‘s SharePoint servers served as critical infrastructure for organizations worldwide, three Chinese nation-state hacking groups exploited previously unknown vulnerabilities to compromise nearly 100 entities across government agencies, universities, and private corporations.
The sophisticated espionage campaign, which began in early July 2025, targeted on-premises SharePoint installations while bypassing multi-factor authentication and single sign-on protections.
Linen Typhoon and Violet Typhoon, both government-affiliated groups, focused primarily on espionage and intellectual property theft. Storm-2603, operating with unclear motives, distinguished itself by stealing machine keys and deploying ransomware against targeted systems.
Google’s Mandiant and Microsoft confirmed that multiple Chinese-backed actors exploited identical vulnerabilities, revealing coordinated nation-state activity.
The attackers utilized critical flaws designated CVE-2025-49706, involving spoofing capabilities, and CVE-2025-49704, enabling remote code execution. Microsoft later patched these vulnerabilities as CVE-2025-53770 and CVE-2025-53771 in late July 2025.
Yet, the company’s failure to fully address initial findings from May 2025 allowed the exploitation wave to proceed unchecked throughout the summer months.
Microsoft’s delayed response to May 2025 security findings enabled months of unchecked nation-state attacks against critical infrastructure.
Victims spanned diverse sectors including US federal and state agencies, European and Middle Eastern government entities, universities, energy companies, and telecommunications firms across Asia.
Security researchers identified hospitals and schools as particularly vulnerable because of inadequate defensive measures. The Cybersecurity and Infrastructure Security Agency responded by adding CVE-2025-53770 to its Known Exploited Vulnerabilities catalog.
The threat actors employed these exploits for initial access, afterwards escalating privileges and deploying persistent backdoors for long-term network presence. Their primary objectives centered on stealing sensitive data, cryptographic keys, and intellectual property from compromised organizations.
By capturing machine keys, attackers maintained persistent access even after Microsoft released security patches. Microsoft has recommended that affected customers rotate their machine keys to enhance security and prevent re-entry by threat actors.
Security vendors, including Google’s Mandiant and Palo Alto Networks, confirmed ongoing exploitation and provided detection capabilities to affected organizations.
Microsoft issued patches for the exploited vulnerabilities in late July 2025, though critics noted the delayed response contributed to the campaign’s extensive reach. The vulnerabilities were initially discovered by Dinh Ho Anh Khoa from Viettel Cyber Security at the Pwn2Own event, earning $100,000 for the disclosure.
The incident highlights the persistent threat posed by nation-state actors targeting enterprise collaboration platforms.
