Table of Contents
Quick Facts
- Over 400 organizations have been hit by attacks targeting Microsoft SharePoint Server 2016.
- Main targets: organizations in the USA and Germany, including government units.
- The attackers used a secret flaw, known as a “zero-day” vulnerability.
- Emergency updates for SharePoint 2016 were released to help fix the issue.
- Security experts confirmed links to groups from China in these attacks.
What Happened?
A new security problem appeared in Microsoft SharePoint Server 2016. This flaw allowed hackers to break in even if servers were updated before July 2025. Many important groups rely on SharePoint to share files and work together.
Timeline
- July 8, 2025: First fixes for initial flaws were released.
- July 18–19, 2025: Experts noticed a sharp rise in attacks.
- July 20, 2025: Emergency patches released for SharePoint Server Subscription Edition and SharePoint Server 2019.
- July 21, 2025: Final emergency update released for SharePoint Server 2016.
Attack Details
- Hackers found ways to use flaws called CVE-2025-53770 and CVE-2025-53771.
- Old fixes (CVE-2025-49704 and CVE-2025-49706) were not enough, as hackers discovered new ways in.
- These attacks often start with letting a bad actor get in as if they were trusted, then take over the system.
- Attackers could run their own programs, steal important keys, and keep coming back even after patches if extra steps, like key rotation, are not followed.
Who Was Behind It?
Security teams traced the attacks to groups based in China. Three specific groups—Linen Typhoon, Violet Typhoon, and Storm-2603—were identified as leading the early attacks. These groups quickly took advantage of the new vulnerabilities, starting as soon as they were discovered.
Cybersecurity company Mandiant verified links to China, and multiple threat actors were found to be acting at the same time. The groups are skilled and have a history of big attacks on key technology. The campaign hit government and critical infrastructure among other targets.
How Did Organizations Get Hurt?
- Up to 400 organizations were compromised.
- Many affected groups are in the USA and Germany.
- Both government and critical infrastructure groups were impacted.
- The attackers used the SharePoint flaws to get inside, steal keys, and plant backdoors for future attacks (so attacks could happen again, even after patching if not done right).
What Has Microsoft Done?
Microsoft responded with emergency patches for all supported versions of SharePoint Server. The fix is not just about installing updates—administrators must also change important server keys to stay protected. If the keys are not changed, attackers may still have access, even after the update. Steps for patching and key updating are found in Microsoft’s guidance.
What Should You Do Now?
To protect servers:
- Apply the latest emergency update for SharePoint Server 2016 or your SharePoint version.
- Follow Microsoft’s advice and rotate (change) the security keys (machine keys).
- Check for signs of compromise—like new accounts, suspicious files, or changed settings.
- Monitor for future threats, as attackers are still searching for unpatched systems.
- Educate your team about new risks and update security policies as needed.
Key Takeaways
- The risk came from both a new vulnerability and hackers who acted very quickly.
- Updating alone is not enough; rotating keys is just as important.
- Even well-maintained systems can be at risk if steps are missed.
- Early action by IT teams can block further harm.
Organizations, Stay Alert
Bad actors move fast when they find a chance. Keeping servers updated and following all instructions keeps your group safer. Don’t skip the key rotation; it’s vital.
Stay careful, as new attacks could target any gaps left open.