Microsoft confirms China hyperlink to SharePoint hacks
Microsoft has revealed that Chinese language state risk actors are actively concentrating on and exploiting a highly-dangerous new zero-day vulnerability in SharePoint Server, confirming earlier reviews from Google Cloud’s Mandiant and others.
In a newly-published replace, Microsoft mentioned that two named risk actors – Linen Storm and Violet Storm – had been concentrating on internet-facing SharePoint cases. Moreover, it mentioned, an actor presently tracked as Storm-2603 can also be engaged on exploits. Redmond mentioned it’s also investigating different actors utilizing the exploits, and anticipates that they are going to be quickly built-in into additional downstream assaults.
“As famous in our weblog this morning, Microsoft has launched new complete safety updates for all supported variations of SharePoint Server, Subscription Version, 2019, and 2016, that defend clients towards these vulnerabilities,” a Microsoft spokesperson instructed Pc Weekly.
“As well as, we even have launched looking and mitigation steering to clients by way of the 19 July MSRC weblog in addition to immediately’s MSTIC weblog. Our steering to clients is that they apply these updates instantly to make sure they’re protected. We have now now offered updates for all of the identified vulnerabilities.”
The vulnerabilities in scope, CVE-2025-53770 and CVE-2025-53771, bypass beforehand disclosed flaws tracked as CVE-2025-49704 and CVE-2025-49706. The primary and most severe of the 2 permits full distant code execution (RCE) and impacts all supported variations of SharePoint Server.
Microsoft mentioned that based mostly on identified techniques, strategies and procedures (TTPs) employed by Linen Storm, Violet Storm, and Storm-2603, it had been in a position to establish tried exploits towards CVE-2025-49704 and CVE-2025-40706 on or round 7 July 2025.
Storm blowing in
Microsoft’s risk actor naming taxonomy, which was up to date in 2023 lessons distinct risk actors by meteorological occasions to make it simpler for patrons and researchers to recognise threats and perceive what they could be coping with.
Beneath this method, Blizzard refers to Russian risk actors, Sandstorm to Iranian ones, Sleet to North Korea, and Storm to China. Tempest is used to categorise financially-motivated gangs like ransomware actors, and Storm refers on this occasion to ‘teams in growth’.
On this case, Linen Storm and Violet Storm refer to 2 distinct clusters of China-nexus risk exercise.
Linen Storm has been lively since about 2012 and is usually centered on stealing mental property from its victims – this has lengthy been a key goal of China’s cyber espionage tasking. Its hackers primarily goal organisations preferred to authorities, defence, strategic planning and human rights. It favours primarily ‘drive-by’ compromise and sometimes depends on current, unpatched exploits to infiltrate its victims.
Violet Storm has been lively since 2015 and focuses on extra pureplay espionage exercise, concentrating on ex-government and navy personnel, non-governmental organisations (NGOs), think-tanks, increased training establishments, media, monetary, and healthcare organisations. Its victims are usually concentrated in East Asia, Europe and North America. Its modus operandi is to scan for vulnerabilities in uncovered net infrastructure and exploit the weaknesses it discovers to put in net shells.
In the meantime, Storm-2603 is suspected to be a Chinese language risk actor as hyperlinks between it and different APTs haven’t been firmed up simply but. Microsoft is monitoring it in affiliation with makes an attempt to steal machine keys by way of the SharePoint vulnerabilities. Curiously, Storm-20603 has been noticed performing as a ransomware affiliate for, amongst others, LockBit, however Microsoft’s analysts say they can’t but assess its true aims with a lot confidence.
The Microsoft analysis crew careworn that further actors will possible use the SharePoint exploits to focus on unpatched, on-premise techniques, emphasising the necessity for customers to take proactive steps instantly.
