Skip to content

Chinese hackers are exploiting Microsoft SharePoint zero-day bugs in widespread attacks

  • by
  • 2 min read

Security researchers have found Chinese hackers with ties to the government conducting a wave of attacks targeting a zero-day vulnerability chain in Microsoft SharePoint. The vulnerability has already been used to breach multiple organisations globally after their on-ground SharePoint servers were compromised.

Microsoft had already acknowledged that it was aware of attacks exploiting vulnerabilities CVE-2025-49076 and CVE-2025-49704 to compromise on-premise SharePoint servers. The security gaps were patched in the July Patch Tuesday update from Microsoft. Shortly after the vulnerabilities became public, new vulnerabilities, CVE-2025-53770 and CVE-2025-53771, bypassing CVE-2025-49704 and CVE-2025-49706, respectively, were used to carry out attacks.

A proof-of-concept exploit of CVE-2025-53770 was released on GitHub following Microsoft’s security patches for all affected SharePoint versions. This made it easier for threat actors of all skill levels to quickly develop a working exploit.

This is an image of hacked security illustration 11

BleepingComputer reports that Google’s Mandiant was the first to claim that at least one of the threat actors responsible for SharePoint’s early exploitation was a Chinese threat actor. In the words of Charles Carmakal, CTO of Google Cloud’s Mandiant Consulting, “we assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor. It’s critical to understand that multiple actors are now actively exploiting this vulnerability.”

Dutch cybersec firm Eye Security first spotted the attack exploiting CVE-2025-49076 and CVE-2025-49075. At least 54 organizations have already been compromised, including several international companies and government departments. The CISA has added the CVE-2025-53770 vulnerability to its Known Exploited Vulnerability catalog and ordered federal agencies to apply patches. The cybersecurity agency added that the exploitation activity, publicly known as ToolShell, “provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.”

In the News: UK sanctions Russian hackers linked to various cyberattacks, assassination attempts

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>