Photo Credit: Getty Images
A serious security breach has placed Microsoft at the center of a widening cyberespionage storm. According to cybersecurity units from Google and Microsoft, state-backed hackers linked to China exploited an unpatched flaw in Microsoft's SharePoint server, compromising over 100 organizations globally.
The vulnerability, tracked as CVE-2025-53770, was first revealed in May during a Berlin hacking competition hosted by Trend Micro. The bug allowed attackers to extract private keys, plant malware, and infiltrate connected systems. Microsoft issued a patch in early July, but the fix proved insufficient.
By July 7, Chinese-affiliated groups, Linen Typhoon, Violet Typhoon, and Storm-2603, had begun exploiting the flaw. Microsoft said Linen Typhoon focused on stealing intellectual property, while Violet Typhoon targeted sensitive data for espionage. Storm-2603, with links to ransomware, also participated in the attacks.
"This is a critical failure," said Charles Carmakal, CTO at Google's Mandiant. "At least one China-nexus actor is behind the breach, but multiple groups are now exploiting the flaw." Despite knowing of the vulnerability months earlier, Microsoft's delayed and incomplete patch left thousands of SharePoint servers exposed. British cybersecurity firm Sophos confirmed threat actors bypassed the initial fix with ease. "The patch did not mitigate the root issue," Sophos stated in a blog post.
Shodan, a platform for mapping internet-connected devices, reported over 8,000 vulnerable servers still online. Shadowserver, another monitoring group, placed the number above 9,000. The compromised networks span healthcare systems, financial institutions, auditing firms, and several U.S. state-level agencies.
The Chinese Embassy in Washington has not responded. Historically, Beijing denies involvement in such incidents, though the attribution trail often points otherwise. Google, which analyzed internet traffic patterns, confirmed the hacks had a "China-nexus." Microsoft's handling of the situation drew sharp criticism. A $100,000 prize was awarded at Trend Micro's event to a Vietnamese researcher who initially discovered the flaw, demonstrating the bug's seriousness. Yet Microsoft's subsequent mitigation efforts were inadequate.
This is not China's first brush with SharePoint vulnerabilities. In 2021, the Hafnium campaign targeted Microsoft Exchange servers, affecting over 60,000 systems. The Justice Department has since charged two Chinese nationals for those breaches.
With over 9,000 potential entry points left exposed, Microsoft's role in the delay cannot be ignored. Responsibility in cybersecurity doesn't stop at issuing a patch, it starts with getting it right.
