Three hacking groups, two vulnerabilities and all eyes on China

Steven

Three hacking groups, two vulnerabilities and all eyes on China

Summary

Researchers at Pwn2Own showed remote compromise of Microsoft on-premise SharePoint in March, revealing two critical vulnerabilities. Instead of staying contained while Microsoft prepared patches, those same flaws were rapidly exploited in the wild, triggering the ToolShell campaign that breached hundreds of organisations.

Microsoft named three China-linked clusters — Linen Typhoon (APT27), Violet Typhoon (APT31) and Storm-2603 — all using the SharePoint issues (CVE-2025-49704 and CVE-2025-49706) almost simultaneously. Subsequent bypasses and follow-up flaws forced Microsoft to issue additional fixes (CVE-2025-53770 and CVE-2025-53771).

The simultaneity of exploitation has reopened debate about how exploit knowledge spreads: leaky vulnerability-disclosure processes, participants in vendor protection programmes, coordinated state logistics, or rapid opportunistic sharing among groups. Targets suggest classic intelligence collection, but some activity — notably Storm-2603 — overlaps with ransomware behaviour, leaving motives ambiguous.

Key Points

  1. Pwn2Own researchers publicly demonstrated SharePoint compromises; two zero-days were later tracked as CVE-2025-49704 and CVE-2025-49706.
  2. The ToolShell campaign saw at least three distinct China-linked clusters exploit those SharePoint flaws almost concurrently.
  3. Microsoft issued patches on 8 July but soon released urgent follow-ups after attackers bypassed initial fixes; more CVEs (53770, 53771) were disclosed.
  4. Hundreds of organisations—including government and critical infrastructure—were impacted; CISA confirmed federal and state agency effects.
  5. Possible explanations include leaks via partner programmes (MAPP), mandated Chinese vulnerability reporting to state bodies (CNNVD/MSS), or a logistics pipeline enabling multiple groups to adopt the same exploit quickly.
  6. Targeting patterns suggest state espionage priorities, but one cluster (Storm-2603) has ties to ransomware operations, muddying motives between intelligence collection and criminal extortion.

Context and Relevance

The incident echoes earlier episodes (ProxyLogon 2021, Ivanti 2023) where multiple Chinese-linked actors exploited the same Microsoft flaws in narrow disclosure windows. It highlights a recurring defensive problem: by the time patches are published, several sophisticated actors may already be poised to mass-exploit vulnerabilities. For organisations running on-premise SharePoint, the event is a cautionary tale about patch cadence, detection telemetry and the need for layered defences.

Why should I read this?

Short and blunt: if your organisation uses SharePoint on-prem, this matters — big time. The story explains how public demos, vulnerability-disclosure channels and nation-state logistics can combine to hand multiple threat actors a simultaneous ticket into sensitive networks. Read this to know why you should be patching, hunting and hardening SharePoint now rather than later.

Author note

Punchy takeaway: this isn’t just another bug — it’s a window into how vulnerabilities can rapidly multiply into widespread compromises when disclosure, defence programmes and geopolitics collide. Highly relevant for security teams, CISOs and anyone responsible for enterprise collaboration platforms.

Source

Source: https://therecord.media/three-hacking-groups-two-vulnerabilities-china-microsoft