Are you a client?
Sign in to view the full news archive.
A zero-day vulnerability in Microsoft SharePoint which was discovered back in May at Pwn2Own Berlin, was reported to have been actively exploited last weekend, with Microsoft and Google now saying they have evidence that hackers backed by China are exploiting the zero-day bug.
The vulnerability in SharePoint, known officially as CVE-2025-53770 and nicknamed “ToolShell,” is currently under active exploitation. It allows hackers to steal sensitive private keys from self-hosted versions of SharePoint, a software server widely used by companies and organisations to store and share internal documents. Once exploited, an attacker can use the bug to remotely plant malware and gain access to the files and data stored within, as well as gain access to other systems on the same network.
The first exploitation attempts were detected on 7th July, targeting a major Western government. Attacks intensified dramatically on 18th and 19th July, with organisations across North America and Western Europe bearing the brunt of the assault. Microsoft has identified three Chinese threat actors behind the campaign: Linen Typhoon, Violet Typhoon, and Storm-2603. Violet Typhoon, active since 2015, specialises in espionage targeting former government officials, NGOs, and educational institutions. Linen Typhoon, operating since 2012, focuses on intellectual property theft from government and defence sectors.
On the 19th July, Microsoft Security Response Centre released comprehensive security updates addressing CVE-2025-53770 and related vulnerability CVE-2025-53771. The company has urged all customers running on-premises SharePoint servers to install the patches immediately, as Chinese threat actors continue scanning for vulnerable internet-facing servers to exploit this critical weakness in enterprise infrastructure.
Posted by: Simon Baxter at 09:12