Microsoft Patches Critical SharePoint Vulnerabilities Exploited by Chinese Hackers

Microsoft fixes two SharePoint zero-days under attack, but one is still unresolved - how to patch

Microsoft has patched two critical zero-day SharePoint security flaws that have already been exploited by hackers to attack vulnerable organizations. Responding to the exploits, the software giant has issued fixes for SharePoint Server Subscription Edition and SharePoint Server 2019, but is still working on a patch for SharePoint Server 2016. Designated as CVE-2025-53771 and CVE-2025-53770, the two vulnerabilities apply only to on-premises versions of SharePoint, so organizations that run the cloud-based SharePoint Online are unaffected. Also: I replaced my Microsoft account password with a passkey - and you should, too Rated as important, CVE-2025-53771 is defined as a SharePoint Server spoofing vulnerability, which means that attackers are able to impersonate trusted and legitimate users or resources in a SharePoint environment. Rated as critical, CVE-2025-53770 is defined as a SharePoint Server remote code execution vulnerability. With this type of flaw, hackers can remotely run code in a SharePoint environment. "CVE-2025-53770 gives a threat actor the ability to remotely execute code, bypassing identity protections (like single sign-on and multi-factor authentication), giving access to content on the SharePoint server including configurations and system files, opening up lateral access across the Windows domain," Trey Ford, chief information security officer at crowdsourced cybersecurity provider Bugcrowd, told ZDNET. Together, the two flaws give cybercriminals the ability to install malicious programs that can compromise a SharePoint environment. And that's just what's been happening. Already, hackers have launched attacks against US federal and state agencies, universities, energy companies, and others, state officials and private researchers told The Washington Post. SharePoint servers have been breached within at least two US federal agencies, according to the researchers. One US state official said the attackers had "hijacked" a collection of documents designed to help people understand how their government works, the Post added. On Tuesday, Microsoft pointed the finger at three Chinese nation-state actors, accusing Linen Typhoon, Violet Typhoon, and Storm‑2603 of exploiting the SharePoint flaws. Active since 2012, Linen Typhoon specializes in stealing intellectual property, mainly targeting government, defense, strategic planning, and human rights organizations. The group typically relies on exploiting security vulnerabilities to launch its attacks. Also: Microsoft rolls out Windows security changes to prevent another CrowdStrike meltdown In business since 2015, Violet Typhoon focuses on espionage against a range of targets, including former government and military personnel, non-governmental organizations, think tanks, higher education, digital and print media, financial businesses, and health-related companies in the US. This group also looks for security vulnerabilities to exploit. Microsoft said it believes that Storm‑2603 is also based in China but hasn't yet uncovered any links between it and other Chinese hackers. This group has tried to take advantage of the SharePoint vulnerabilities to steal the Windows MachineKeys folder, which stores cryptographic keys. The company tried to fix both the server spoofing vulnerability and the remote code execution vulnerability with its July 8 Patch Tuesday updates via CVE-2025-49706, CVE-2025-49704, and CVE-2025-49701. But apparently, the fixes didn't quite do the trick, as savvy hackers were able to sneak their way around them. Hopefully, this time the new patches will work. In an FAQ, Microsoft said about its cavalcade of CVEs, "Yes, the update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706." One question is why companies like Microsoft keep exposing their customers to these types of security flaws. One problem lies with the increasing complexity of all the different customer environments. "Patches are rarely fully comprehensive, and the codebases are both complex, and implementations are highly varied," Ford said. "This is why those test harnesses and regression testing processes are so complicated. In a perfect world, everyone would be running the latest version of code, fully patched. Obviously, this isn't possible, so feature development must be tested across an exponentially more complicated surface area." Also: Can't upgrade your Windows 10 PC? You have 5 options and 3 months to act - before EOS Before Microsoft rolled out the new patches on Sunday, security firm Eye Security warned about the SharePoint flaws in a Saturday research post. "On the evening of July 18, 2025, Eye Security was the first in identifying large-scale exploitation of a newSharePoint remote code execution (RCE)vulnerability chain in the wild," the firm said. "Demonstrated just days ago on X, this exploit is being used to compromise on-premise SharePoint Servers across the world. Before this vulnerability was widely known last Friday, our team scanned 8000+ SharePoint serversworldwide. We discovered dozens of systems actively compromised during two waves of attack, on 18th of July around 18:00 UTC and 19th of July around 07:30 UTC." Referring to the security flaw as ToolShell, Eye Security explained how SharePoint environments can be compromised through the attacks. Bypassing security protections, hackers can execute code remotely, thereby gaining access to SharePoint content, system files, and configurations. Attackers can also steal cryptographic keys, allowing them to impersonate users or services, even after the server is patched. Since SharePoint connects to other Microsoft services such as Outlook, Teams, and OneDrive, hackers can move laterally across a network to steal associated passwords and data. For organizations that run SharePoint Server, Microsoft has outlined the steps to fix the flaws. Also: How to get free Windows 10 security updates through October 2026: Two ways For Microsoft SharePoint Server Subscription Edition, head to this update page to download and install the patch. For Microsoft SharePoint Server 2019, browse to this update page to grab the patch. Microsoft offers the following advice: For now, users of SharePoint 2016 are still vulnerable to the exploit. But Microsoft should provide a patch for this version before too long. Continue to check the company's page on SharePoint customer guidance for details. Also: Microsoft is saving millions with AI and laying off thousands - where do we go from here? Ford offered further advice to organizations with SharePoint servers. "When running your own services on-premises, ask if they truly need to be internet exposed, or accessible to untrusted parties," Ford said. "Lowering your attack surface is always wise -- minimize the number of hosts and services you have available to public, untrusted users. Hardening, adding the recommended endpoint protections, such as Microsoft's Antimalware Scan Interface and Defender for these highly integrated services is key."

Microsoft fixes SharePoint zero-day exploits used in cyberattacks and ransomware - how to patch them

Microsoft has patched three critical zero-day SharePoint security flaws that hackers have already exploited to attack more vulnerable organizations. Responding to the exploits, the software giant initially issued fixes just for SharePoint Server Subscription Edition and SharePoint Server 2019, and then eventually rolled out a patch for SharePoint Server 2016 as well. Designated as CVE‑2025‑53771 and CVE‑2025‑53770, the two vulnerabilities apply only to on‑premises versions of SharePoint, so organizations that run cloud‑based SharePoint Online are unaffected. Also: I replaced my Microsoft account password with a passkey - and you should, too Rated as important, CVE‑2025‑53771 is a SharePoint Server spoofing vulnerability, which means attackers can impersonate trusted and legitimate users or resources in a SharePoint environment. Rated as critical, CVE‑2025‑53770 is a SharePoint Server remote code execution vulnerability. With this type of flaw, hackers can run code remotely in a SharePoint environment. "CVE‑2025‑53770 gives a threat actor the ability to remotely execute code, bypassing identity protections (like single sign‑on and multi‑factor authentication), giving access to content on the SharePoint server including configurations and system files, opening up lateral access across the Windows domain," Trey Ford, chief information security officer at crowdsourced cybersecurity provider Bugcrowd, told ZDNET. Together, the two flaws allow cybercriminals to install malicious programs that can compromise a SharePoint environment -- and that's exactly what's been happening. State officials and private researchers told The Washington Post that hackers have already launched attacks against US federal and state agencies, universities, energy companies, and others. SharePoint servers have been breached within at least two US federal agencies, according to the researchers. One US state official said the attackers had "hijacked" a collection of documents designed to help people understand how their government works, the Post added. Alarmingly, even the US National Nuclear Security Administration was breached as a result of the SharePoint vulnerability. "The recent breach of multiple governments' systems, including the US National Nuclear Security Administration, stemming from a Microsoft vulnerability, is yet another urgent reminder of the stakes we're facing," Bob Huber, chief security officer for cybersecurity firm Tenable, said in a comment shared with ZDNET. "This isn't just about a single flaw, but how sophisticated actors exploit these openings for long-term gain." On Tuesday, Microsoft blamed three Chinese nation‑state actors -- Linen Typhoon, Violet Typhoon, and Storm--2603 -- for exploiting the SharePoint flaws. Active since 2012, Linen Typhoon specializes in stealing intellectual property. It mainly targets government, defense, strategic planning, and human rights organizations. The group typically relies on exploiting security vulnerabilities to launch its attacks. Also: Microsoft rolls out Windows security changes to prevent another CrowdStrike meltdown In business since 2015, Violet Typhoon focuses on espionage against a range of targets, including former government and military personnel, nongovernmental organizations, think tanks, higher education, digital and print media, financial businesses, and health‑related companies in the US. This group also looks for security vulnerabilities to exploit. Microsoft said it believes that Storm-2603 is also based in China but hasn't yet uncovered any links between it and other Chinese hackers. This group has tried to take advantage of the SharePoint vulnerabilities to steal the Windows MachineKeys folder, which stores cryptographic keys. "The Chinese threat actor groups allegedly behind this attack are known for using stolen credentials to establish persistent backdoors," Huber said. "This means that even after the initial vulnerability is patched, these attackers can remain hidden inside a network, ready to launch future espionage campaigns. By the time an organization sees evidence of a new intrusion, the damage has already been done." In a Wednesday update to its blog post, Microsoft also accused one of the groups of exploiting the zero-day flaws to launch ransomware attacks. "Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities," the company said. "Investigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on‑premises SharePoint systems." Specifically, Microsoft said that Storm--2603 has conducted attacks using Warlock ransomware, a relatively new strain in which cybercriminals not only encrypt but steal data on a compromised server. Through this double‑extortion tactic, the group can demand ransom to decrypt the data and threaten to release the information publicly unless that ransom is paid. The company tried to fix both the server spoofing vulnerability and the remote code execution vulnerability with its July 8 Patch Tuesday updates via CVE‑2025‑49706, CVE‑2025‑49704, and CVE‑2025‑49701. But apparently the fixes didn't quite do the trick, as savvy hackers were able to sneak their way around them. Hopefully the new patches will work this time. In an FAQ, Microsoft said about its cavalcade of CVEs, "Yes, the update for CVE‑2025‑53770 includes more robust protections than the update for CVE‑2025‑49704. The update for CVE‑2025‑53771 includes more robust protections than the update for CVE‑2025‑49706." One question is why companies like Microsoft keep exposing their customers to these types of security flaws. One problem lies with the increasing complexity of all the different customer environments. "Patches are rarely fully comprehensive, and the codebases are both complex and implementations are highly varied," Ford said. "This is why those test harnesses and regression testing processes are so complicated. In a perfect world, everyone would be running the latest version of code, fully patched. Obviously, this isn't possible, so feature development must be tested across an exponentially more complicated surface area." Also: Can't upgrade your Windows 10 PC? You have 5 options and 3 months to act - before EOS Before Microsoft rolled out the new patches on Sunday, security firm Eye Security warned about the SharePoint flaws in a research post on Saturday. "On the evening of July 18, 2025, Eye Security was the first in identifying large‑scale exploitation of a new SharePoint remote code execution (RCE) vulnerability chain in the wild," the firm said. "Demonstrated just days ago on X, this exploit is being used to compromise on‑premises SharePoint servers across the world. Before this vulnerability was widely known last Friday, our team scanned more than 8,000 SharePoint servers worldwide. We discovered dozens of systems actively compromised during two waves of attack, on July 18 around 18:00 UTC and July 19 around 07:30 UTC." Referring to the security flaw as ToolShell, Eye Security explained how SharePoint environments can be compromised through the attacks. By bypassing security protections, hackers can execute code remotely, thereby gaining access to SharePoint content, system files, and configurations. Attackers can also steal cryptographic keys, allowing them to impersonate users or services even after the server is patched. Since SharePoint connects to other Microsoft services such as Outlook, Teams, and OneDrive, hackers can move laterally across a network to steal associated passwords and data. For organizations that run SharePoint Server, Microsoft has outlined the steps to fix the flaws. For Microsoft SharePoint Server Subscription Edition, head to this update page to download and install the patch. For Microsoft SharePoint Server 2019, browse to this update page to grab the patch. For Microsoft SharePoint Server 2016, go to this update page for the patch. Also: How to get free Windows 10 security updates through October 2026: Two ways To further safeguard your environment, Microsoft offers the following advice: Also: Microsoft is saving millions with AI and laying off thousands -- where do we go from here? Ford also offered further advice to organizations with SharePoint servers. "When running your own services on‑premises, ask if they truly need to be internet exposed or accessible to untrusted parties," Ford said. "Lowering your attack surface is always wise -- minimize the number of hosts and services you have available to public, untrusted users. Hardening, adding the recommended endpoint protections, such as Microsoft's Antimalware Scan Interface and Defender, for these highly integrated services is key."

Microsoft fixes three SharePoint zero-day exploits used in cyberattacks and ransomware - how to patch them

Microsoft has patched three critical zero-day SharePoint security flaws that hackers have already exploited to attack more vulnerable organizations. Responding to the exploits, the software giant initially issued fixes just for SharePoint Server Subscription Edition and SharePoint Server 2019, and then eventually rolled out a patch for SharePoint Server 2016 as well. Designated as CVE‑2025‑53771 and CVE‑2025‑53770, the two vulnerabilities apply only to on‑premises versions of SharePoint, so organizations that run cloud‑based SharePoint Online are unaffected. Also: I replaced my Microsoft account password with a passkey - and you should, too Rated as important, CVE‑2025‑53771 is a SharePoint Server spoofing vulnerability, which means attackers can impersonate trusted and legitimate users or resources in a SharePoint environment. Rated as critical, CVE‑2025‑53770 is a SharePoint Server remote code execution vulnerability. With this type of flaw, hackers can run code remotely in a SharePoint environment. "CVE‑2025‑53770 gives a threat actor the ability to remotely execute code, bypassing identity protections (like single sign‑on and multi‑factor authentication), giving access to content on the SharePoint server including configurations and system files, opening up lateral access across the Windows domain," Trey Ford, chief information security officer at crowdsourced cybersecurity provider Bugcrowd, told ZDNET. Together, the two flaws allow cybercriminals to install malicious programs that can compromise a SharePoint environment -- and that's exactly what's been happening. State officials and private researchers told The Washington Post that hackers have already launched attacks against US federal and state agencies, universities, energy companies, and others. SharePoint servers have been breached within at least two US federal agencies, according to the researchers. One US state official said the attackers had "hijacked" a collection of documents designed to help people understand how their government works, the Post added. Alarmingly, even the US National Nuclear Security Administration was breached as a result of the SharePoint vulnerability. "The recent breach of multiple governments' systems, including the US National Nuclear Security Administration, stemming from a Microsoft vulnerability, is yet another urgent reminder of the stakes we're facing," Bob Huber, chief security officer for cybersecurity firm Tenable, said in a comment shared with ZDNET. "This isn't just about a single flaw, but how sophisticated actors exploit these openings for long-term gain." On Tuesday, Microsoft blamed three Chinese nation‑state actors -- Linen Typhoon, Violet Typhoon, and Storm--2603 -- for exploiting the SharePoint flaws. Active since 2012, Linen Typhoon specializes in stealing intellectual property. It mainly targets government, defense, strategic planning, and human rights organizations. The group typically relies on exploiting security vulnerabilities to launch its attacks. Also: Microsoft rolls out Windows security changes to prevent another CrowdStrike meltdown In business since 2015, Violet Typhoon focuses on espionage against a range of targets, including former government and military personnel, nongovernmental organizations, think tanks, higher education, digital and print media, financial businesses, and health‑related companies in the US. This group also looks for security vulnerabilities to exploit. Microsoft said it believes that Storm-2603 is also based in China but hasn't yet uncovered any links between it and other Chinese hackers. This group has tried to take advantage of the SharePoint vulnerabilities to steal the Windows MachineKeys folder, which stores cryptographic keys. "The Chinese threat actor groups allegedly behind this attack are known for using stolen credentials to establish persistent backdoors," Huber said. "This means that even after the initial vulnerability is patched, these attackers can remain hidden inside a network, ready to launch future espionage campaigns. By the time an organization sees evidence of a new intrusion, the damage has already been done." In a Wednesday update to its blog post, Microsoft also accused one of the groups of exploiting the zero-day flaws to launch ransomware attacks. "Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities," the company said. "Investigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on‑premises SharePoint systems." Specifically, Microsoft said that Storm--2603 has conducted attacks using Warlock ransomware, a relatively new strain in which cybercriminals not only encrypt but steal data on a compromised server. Through this double‑extortion tactic, the group can demand ransom to decrypt the data and threaten to release the information publicly unless that ransom is paid. The company tried to fix both the server spoofing vulnerability and the remote code execution vulnerability with its July 8 Patch Tuesday updates via CVE‑2025‑49706, CVE‑2025‑49704, and CVE‑2025‑49701. But apparently the fixes didn't quite do the trick, as savvy hackers were able to sneak their way around them. Hopefully the new patches will work this time. In an FAQ, Microsoft said about its cavalcade of CVEs, "Yes, the update for CVE‑2025‑53770 includes more robust protections than the update for CVE‑2025‑49704. The update for CVE‑2025‑53771 includes more robust protections than the update for CVE‑2025‑49706." One question is why companies like Microsoft keep exposing their customers to these types of security flaws. One problem lies with the increasing complexity of all the different customer environments. "Patches are rarely fully comprehensive, and the codebases are both complex and implementations are highly varied," Ford said. "This is why those test harnesses and regression testing processes are so complicated. In a perfect world, everyone would be running the latest version of code, fully patched. Obviously, this isn't possible, so feature development must be tested across an exponentially more complicated surface area." Also: Can't upgrade your Windows 10 PC? You have 5 options and 3 months to act - before EOS Before Microsoft rolled out the new patches on Sunday, security firm Eye Security warned about the SharePoint flaws in a research post on Saturday. "On the evening of July 18, 2025, Eye Security was the first in identifying large‑scale exploitation of a new SharePoint remote code execution (RCE) vulnerability chain in the wild," the firm said. "Demonstrated just days ago on X, this exploit is being used to compromise on‑premises SharePoint servers across the world. Before this vulnerability was widely known last Friday, our team scanned more than 8,000 SharePoint servers worldwide. We discovered dozens of systems actively compromised during two waves of attack, on July 18 around 18:00 UTC and July 19 around 07:30 UTC." Referring to the security flaw as ToolShell, Eye Security explained how SharePoint environments can be compromised through the attacks. By bypassing security protections, hackers can execute code remotely, thereby gaining access to SharePoint content, system files, and configurations. Attackers can also steal cryptographic keys, allowing them to impersonate users or services even after the server is patched. Since SharePoint connects to other Microsoft services such as Outlook, Teams, and OneDrive, hackers can move laterally across a network to steal associated passwords and data. For organizations that run SharePoint Server, Microsoft has outlined the steps to fix the flaws. For Microsoft SharePoint Server Subscription Edition, head to this update page to download and install the patch. For Microsoft SharePoint Server 2019, browse to this update page to grab the patch. For Microsoft SharePoint Server 2016, go to this update page for the patch. Also: How to get free Windows 10 security updates through October 2026: Two ways To further safeguard your environment, Microsoft offers the following advice: Also: Microsoft is saving millions with AI and laying off thousands -- where do we go from here? Ford also offered further advice to organizations with SharePoint servers. "When running your own services on‑premises, ask if they truly need to be internet exposed or accessible to untrusted parties," Ford said. "Lowering your attack surface is always wise -- minimize the number of hosts and services you have available to public, untrusted users. Hardening, adding the recommended endpoint protections, such as Microsoft's Antimalware Scan Interface and Defender, for these highly integrated services is key."

SharePoint targeted by Chinese 'threat actor' hackers, says Microsoft

Security vulnerabilities exploited in servers hosting document-sharing software used by many large businesses Microsoft says Chinese "threat actors", including state-sponsored hackers, have exploited security vulnerabilities in its SharePoint document-sharing software servers and are targeting the data of businesses that use it. The US technology company said it had observed three groups - the Chinese state-backed Linen Typhoon and Violet Typhoon, and Storm-2603, which is believed to be China-based - using "newly disclosed security vulnerabilities" to target internet-facing servers hosting the platform. The announcement came amid reports in the Financial Times that Amazon was shutting down its artificial intelligence lab in Shanghai, while the consultancy McKinsey has stopped its China business from taking on work related to AI, amid worsening geopolitical tensions between Washington and Beijing. Microsoft and IBM have recently scaled back China-based research and development projects, as US officials are stepping up their scrutiny of US companies working in AI in China. Microsoft said in a blogpost that the vulnerabilities were in on-premises SharePoint servers, which are commonly used by companies, but not in its cloud-based service. Many large organisations and businesses use SharePoint as a platform for storing documents and allowing colleagues to collaborate on them, and it is regarded as working well alongside other Microsoft products including Office and Outlook. Microsoft said the attacks had begun as early as 7 July, and said the hackers were trying to exploit vulnerabilities to "gain initial access to target organisations". The vulnerabilities allow attackers to spoof authentication credentials and execute malicious code remotely on servers. Microsoft said it had observed attacks where the attackers had sent a request to a SharePoint server "enabling the theft of the key material". Microsoft said it had released new security updates and advised all users of on-premises SharePoint systems to install them. It warned that it assessed with "high confidence" that the hacking groups would continue to attack unpatched on-premises SharePoint systems. Microsoft said Linen Typhoon had been "focused on stealing intellectual property, primarily targeting organisations related to government, defence, strategic planning, and human rights" since 2012. It added that since 2015, Violet Typhoon had been "dedicated to espionage, primarily targeting former government and military personnel, non-governmental organisations, thinktanks, higher education, digital and print media, financial and health related sectors in the United States, Europe, and east Asia". Microsoft said it had "medium confidence" that the third group, Storm-2603, was based in China, but said it had not established links between the group and other Chinese threat actors. It warned that "additional actors" may also target on-premises SharePoint systems to exploit their vulnerabilities, if its security updates were not installed.

Microsoft Warns Of Active Exploits Targeting SharePoint Vulnerabilities - Microsoft (NASDAQ:MSFT)

Tim Melvin's system has spotted 10X winners like NVIDIA and Matador -- see his next 6 picks and the options strategies to multiply gains at a free July 23 event. Register Here. Microsoft Corp MSFT has issued a critical warning regarding ongoing attacks on on-premises SharePoint servers, urging organizations to apply newly released security updates immediately. The alert, published July 19 by the Microsoft Security Response Center, highlights active exploitation of two key vulnerabilities -- a spoofing flaw and a remote code execution flaw -- by state-linked threat actors. These vulnerabilities do not impact SharePoint Online hosted on Microsoft 365. The new updates cover supported versions of SharePoint Server, including Subscription Edition, 2019, and 2016. Also Read: Microsoft Raids Google DeepMind To Supercharge AI Copilot, Even As Redmond Cuts 9,000 Jobs Elsewhere: Report Microsoft emphasized that the patches also address additional related flaws -- CVE-2025-53770 and a bypass vulnerability CVE-2025-53771 -- providing a more comprehensive security fix. Microsoft attributed the exploitation campaigns to three China-based threat actors: Linen Typhoon, Violet Typhoon, and Storm-2603. According to the company, these groups have been actively targeting internet-facing SharePoint servers since at least July 7. The attacks observed involve sending a specially crafted POST request to the SharePoint server's ToolPane endpoint, allowing threat actors to upload malicious ASP.NET scripts -- often named variations of "spinstall0.aspx." These scripts enable the extraction of MachineKey data through GET requests, which supports deeper compromise of the target systems. Microsoft has published indicators of compromise (IOCs) and threat-hunting queries to assist defenders in identifying such activities. Linen Typhoon, active since 2012, has previously targeted government and defense sectors for intellectual property theft. Violet Typhoon, active since 2015, focuses on espionage involving NGOs, media, and educational institutions. Storm-2603, a separate Chinese actor, has previously been linked to ransomware deployment, although its current motives remain unclear. Trending Investment OpportunitiesAdvertisementArrivedBuy shares of homes and vacation rentals for as little as $100. Get StartedWiserAdvisorGet matched with a trusted, local financial advisor for free.Get StartedPoint.comTap into your home's equity to consolidate debt or fund a renovation.Get StartedRobinhoodMove your 401k to Robinhood and get a 3% match on deposits.Get Started Microsoft continues to monitor the situation and urges administrators to respond quickly. It warns that delayed patching could leave systems vulnerable to expanding campaigns. A security update released by Microsoft this month did not completely fix a serious flaw in its SharePoint server software, according to a timeline seen by Reuters. This left systems vulnerable to a major global cyber spying campaign. On Tuesday, a Microsoft spokesperson admitted the original patch -- based on a flaw discovered during a hacker competition in May -- was ineffective. However, the company said it has since released additional updates that fully address the problem. It's still unknown who carried out the spying, which affected around 100 organizations. The security flaw used in the attack was first discovered in May during a hacking competition in Berlin hosted by cybersecurity company Trend Micro. The event offered cash rewards for finding bugs in widely used software. At the competition, a researcher from Viettel -- a telecom company owned by Vietnam's military -- found a bug in Microsoft SharePoint. He called it "ToolShell" and showed how it could be used to launch an attack. Price Action: MSFT stock is down 0.64% at $502.05 at the last check on Wednesday. Read Next: Boeing Just Supercharged Global Internet With New Satellites Photo: Shutterstock MSFTMicrosoft Corp$504.66-0.12%Stock Score Locked: Want to See it? Benzinga Rankings give you vital metrics on any stock - anytime. Reveal Full ScoreEdge RankingsMomentum75.34Growth50.35Quality39.59Value13.35Price TrendShortMediumLongOverviewMarket News and Data brought to you by Benzinga APIs

Microsoft claims China-backed hackers hit SharePoint systems

Microsoft has released comprehensive security updates for all supported versions of SharePoint Server. Microsoft has claimed that several China-backed hacker groups are actively targeting on-premises SharePoint servers. In a blog post, the tech giant confirmed that attackers are exploiting two serious vulnerabilities to carry out the attacks: CVE-2025-49706, a spoofing issue, and CVE-2025-49704, a remote code execution bug. These vulnerabilities affect only on-premises SharePoint servers, not the cloud-based SharePoint Online service in Microsoft 365. According to Microsoft, two known Chinese state-backed hacker groups, Linen Typhoon and Violet Typhoon, have been spotted using these flaws to attack internet-facing SharePoint servers. Another group, Storm-2603, also believed to be based in China, is carrying out similar attacks. Also read: OpenAI partners with Oracle to expand Stargate AI data centers to 5 GW "With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems," the company stated. In response, Microsoft has released comprehensive security updates for all supported versions of SharePoint Server, including Subscription Edition, 2019 and 2016. These updates also fix issues related to two newly discovered vulnerabilities: CVE-2025-53770 and CVE-2025-53771. The company strongly urges all users to apply these updates immediately to stay protected. Also read: YouTube removes nearly 11,000 propaganda channels linked to China and Russia To further reduce the risk, Microsoft recommends users: In related news, Charles Carmakal, the chief technology officer at Google's incident response unit Mandiant, told TechCrunch "at least one of the actors responsible" was a China-nexus hacking group, but highlighted that "multiple actors are now actively exploiting this vulnerability."