Microsoft confirms that two Chinese state-sponsored hacker groups, Linen Typhoon and Violet Typhoon, are exploiting a SharePoint zero-day vulnerability



Microsoft's

SharePoint service has a zero-day vulnerability that has been exploited by a group of Chinese hackers. Dozens of organizations have already been affected.

Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog
https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/

SharePoint 0-day uncovered (CVE-2025-53770)
https://research.eye.security/sharepoint-under-siege/

Google, Microsoft says Chinese hackers are exploiting SharePoint zero-day | TechCrunch
https://techcrunch.com/2025/07/22/google-microsoft-say-chinese-hackers-are-exploiting-sharepoint-zero-day/

Security researchers from Google and Microsoft discovered a spoofing vulnerability, CVE-2025-49706, and a remote code execution vulnerability, CVE-2025-49704.

These vulnerabilities could be exploited to steal sensitive private keys from self-hosted versions of SharePoint, allowing attackers to remotely plant malware or access stored files and data.

According to Microsoft, there is evidence that the vulnerability has been exploited in the wild, affecting several organizations.



Microsoft reports that a group called 'Linen Typhoon' and a group called 'Violet Typhoon' exploited the vulnerability. Linen Typhoon focuses on stealing intellectual property, while Violet Typhoon steals personal information for espionage. Microsoft noted that both groups are backed by the Chinese government.

Dozens of organizations have already been hacked, with victims across a wide range of sectors, including the government sector. The vulnerability is classified as a zero-day vulnerability because it was exploited before Microsoft issued a patch. Microsoft has released patches for all affected versions of SharePoint, but security researchers have warned that 'customers running self-hosted versions of SharePoint may already be compromised.'



Liu Pengyu, a spokesman for the Chinese Embassy in the United States, said, 'China resolutely opposes and combats all forms of cyber attacks and cybercrime. This position is consistent and clear.'

The name 'Typhoon' for the attacker group follows Microsoft's naming convention, which basically means that China-related groups have the name 'Typhoon' in their names.

Microsoft and CrowdStrike launch project to consolidate names for hacker groups, as names for groups are too diverse and may slow down response - GIGAZINE



in Web Service,   Security, Posted by log1p_kr