Google and Microsoft researchers say Chinese state-sponsored hackers are actively using a zero-day flaw in SharePoint, as firms worldwide race to secure their systems. 

CVE-2025-53770, a bug found last weekend in self-hosted SharePoint servers, lets attackers steal sensitive private keys, plant malware remotely, and infiltrate connected systems and stored data. 

According to a Microsoft blog post, China-linked groups “Linen Typhoon” and “Violet Typhoon” are actively exploiting the SharePoint zero-day. Microsoft says one group aims to steal intellectual property, while the other gathers sensitive info for espionage.  

In addition, Microsoft identified a third Chinese-backed hacking group, “Storm-2603,” as being involved in the attacks. Though little is known about the group, it has past links to ransomware incidents. 

According to Microsoft, all three hacking groups have been actively using the SharePoint zero-day to infiltrate servers since at least July 7. 

The bug, which has already led to breaches at numerous organizations — including in the government sector — is considered a zero-day since Microsoft hadn’t issued a fix before attacks began.