China-Linked Hackers Breach 400 Organizations via Microsoft SharePoint Servers

A large-scale cyberespionage campaign exploiting critical zero-day vulnerabilities in Microsoft SharePoint servers has compromised nearly 400 organizations globally, including governments, healthcare, finance, education, and manufacturing sectors. The attacks, attributed to China-linked threat groups, leverage vulnerabilities CVE-2025-53770 and CVE-2025-53771 to gain full control over servers, steal cryptographic keys, install malware, and maintain persistent access even after patches are applied. Despite Microsoft's rapid release of security patches and emergency guidance, many servers remain exposed, especially legacy versions, putting over 8,000 SharePoint servers worldwide at risk. Researchers from Eye Security and the Shadowserver Foundation have been instrumental in uncovering the scope of the breach, which continues to expand as new victims are identified. U.S. and UK authorities, including CISA and the FBI, are actively monitoring the situation, with CISA mandating remediation for federal agencies. The actual number of compromised organizations is believed to be higher than current estimates, with ongoing concerns about undetected breaches and the creation of backdoors by hackers.