China-based hacking groups Linen Typhoon, Violet Typhoon, and Storm-2603 are exploiting vulnerabilities in internet-facing SharePoint Server instances. These flaws include incomplete fixes for CVE-2025-49706 and CVE-2025-49704. Linen Typhoon has been active since 2012 and has been associated with multiple malware families. Violet Typhoon has targeted countries like the United States and Finland since 2015. Storm-2603 has previously deployed ransomware. Microsoft assessed that these threat actors will continue to use these vulnerabilities in attacks against unpatched systems.
Microsoft tied the exploitation of security flaws in SharePoint Server to two Chinese hacking groups, Linen Typhoon and Violet Typhoon, as well as a third group, Storm-2603.
The vulnerabilities affecting on-premises SharePoint servers exploit incomplete fixes for specific flaws which permit authentication bypass and remote code execution.
Collection
[
|
...
]