Zero-Day Vulnerability Exploited
Microsoft has disclosed that a critical zero-day vulnerability in its self-hosted SharePoint Server was actively exploited by multiple threat actors since early July. The flaw allowed attackers to steal data, harvest cryptographic keys, implant backdoors, and spread laterally across enterprise networks.
Three Chinese-Linked Groups Identified
In its security advisory, Microsoft named three China-connected hacking teams—Linen Typhoon (APT27), Violet Typhoon (APT31), and Storm‑2603—as primary exploiters. These groups have targeted at least 100 organisations across sectors including energy, healthcare, universities, and government agencies in the U.S. and Germany.
Highly Sensitive Targets Hit
Among the compromised entities was the U.S. National Nuclear Security Administration, underscoring the breach’s severity. At least two U.S. federal agencies and possibly up to five have been affected, according to U.S. officials.
Patch Failings Aggravated Risks
Microsoft acknowledged that its initial July patch was incomplete, failing to fully address the exploit—identified at a hacker competition in May as the “ToolShell” flaw. Subsequent patches were released only after widespread malicious activity was detected.
Global Response and Ongoing Threat
Government cybersecurity agencies in the U.S. (CISA, DOD), U.K., and Germany are coordinating with Microsoft to assess the fallout. Security firms warn that simply patching may not suffice—pre-existing implants may have been placed in vulnerable systems.
Urgent Guidance for Organisations
Microsoft urges all customers using on-premises SharePoint Server 2016, 2019, and Subscription Edition to immediately apply the latest security updates, rotate keys, enable antimalware measures, and run forensic scans for indicators of compromise.
Implications for Tech and Security
The incident deepens scrutiny on Microsoft’s patch management and the broader risks of self-hosted software. It also intensifies U.S.–China cyber tensions, marking one of the highest-profile espionage campaigns in President Trump’s second term.
What Comes Next
- Investigation: Government agencies are probing the full scope and impact.
- Remediation: Affected organizations must fully patch, rotate credentials, and validate system integrity.
- Policy pressure: U.S. lawmakers are raising concerns about Microsoft’s security practices, including the use of China-based engineers.
Final Word
Microsoft’s warning about sophisticated, China-linked hackers exploiting a zero-day in SharePoint Server is a wake-up call for organisations running legacy on-prem systems. The incident highlights how delays in patching and systemic vulnerabilities can open doors to state-level cyber espionage.
