Microsoft has claimed that several China-backed hacker groups are actively targeting on-premises SharePoint servers.
Attackers are exploiting two vulnerabilities to carry out the attacks.
Microsoft has released comprehensive security updates for all supported versions of SharePoint Server.
Microsoft has claimed that several China-backed hacker groups are actively targeting on-premises SharePoint servers. In a blog post, the tech giant confirmed that attackers are exploiting two serious vulnerabilities to carry out the attacks: CVE-2025-49706, a spoofing issue, and CVE-2025-49704, a remote code execution bug. These vulnerabilities affect only on-premises SharePoint servers, not the cloud-based SharePoint Online service in Microsoft 365.
SurveyAccording to Microsoft, two known Chinese state-backed hacker groups, Linen Typhoon and Violet Typhoon, have been spotted using these flaws to attack internet-facing SharePoint servers. Another group, Storm-2603, also believed to be based in China, is carrying out similar attacks.
Also read: OpenAI partners with Oracle to expand Stargate AI data centers to 5 GW
“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” the company stated.
In response, Microsoft has released comprehensive security updates for all supported versions of SharePoint Server, including Subscription Edition, 2019 and 2016. These updates also fix issues related to two newly discovered vulnerabilities: CVE-2025-53770 and CVE-2025-53771. The company strongly urges all users to apply these updates immediately to stay protected.
Also read: YouTube removes nearly 11,000 propaganda channels linked to China and Russia
To further reduce the risk, Microsoft recommends users:
- Use supported SharePoint Server versions with the latest updates.
- Enable the Antimalware Scan Interface (AMSI) in Full Mode and use Microsoft Defender Antivirus or similar tools.
- Rotate ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint.
In related news, Charles Carmakal, the chief technology officer at Google’s incident response unit Mandiant, told TechCrunch “at least one of the actors responsible” was a China-nexus hacking group, but highlighted that “multiple actors are now actively exploiting this vulnerability.”
Also read: Snapdragon XR Day 2025: Qualcomm wants smart glasses to become as important as phones
Follow Us
Ayushi Jain
Tech news writer by day, BGMI player by night. Combining my passion for tech and gaming to bring you the latest in both worlds. View Full Profile
