Microsoft’s SharePoint Patch Failed To Stop Attacks As China-Linked Hackers Target Global Organisations

A critical security flaw in Microsoft’s SharePoint server software has triggered a wave of cyber espionage targeting nearly 100 organisations globally. Although Microsoft released a patch earlier this month, the company has now confirmed that the initial fix failed to fully close the loophole, as reported by Reuters.
The vulnerability, first uncovered at a hacking competition in May, is being exploited by multiple China-linked groups, with thousands of systems potentially exposed to the threat. A second patch has since been issued, but the damage may already be widespread.
<h3>First Patch Missed The Mark</h3>
The vulnerability was originally identified in May during a Berlin-based hacking contest hosted by Trend Micro, which offered a $100,000 prize for unearthing a zero-day exploit in Microsoft SharePoint. A researcher from Viettel, a Vietnamese state-owned telecom company, demonstrated how the flaw, dubbed “ToolShell” could be used to breach servers. Microsoft released a patch on July 8 and classified the bug as a critical issue.
But that fix didn’t work. Just ten days later, cybersecurity firms began reporting increased malicious activity targeting the same SharePoint systems the patch was meant to protect. British firm Sophos confirmed in a blog post that attackers had already developed exploits that could bypass the update.
<h3>China-Linked Groups Allegedly Behind Attacks</h3>
In a blog post, Microsoft identified three China-based hacking groups, Linen Typhoon, Violet Typhoon, and an unnamed third actor, as the key players exploiting the vulnerability. Both Microsoft and Google have said the initial wave of attacks appeared to be connected to China-linked threat actors.
China’s embassy in Washington denied any involvement, saying the country opposed all forms of cyberattacks and accused others of making allegations without solid proof.
It remains unclear who is definitively behind the attacks, but experts believe the campaign is likely to spread as other hackers join in.
<h3>Sensitive US Agency Among Victims</h3>
Bloomberg reported that the US National Nuclear Security Administration, which oversees the country’s nuclear arsenal, was among those breached. However, no classified information is believed to have been compromised.
Microsoft, the US Energy Department, and the Cybersecurity and Infrastructure Security Agency did not immediately respond to Reuters’ requests for comment on that report.
<h3>Thousands Of Servers Potentially At Risk</h3>
Data from the search engine Shodan shows more than 8,000 SharePoint servers that could be at risk of compromise. The Shadowserver Foundation, which scans the internet for digital vulnerabilities, placed the number slightly higher at over 9,000. These servers span a broad range of sectors, from finance and healthcare to industrial companies and government agencies. Most affected systems appear to be located in the United States and Germany.
Despite vulnerabilities existing in some German networks, the country’s Federal Office for Information Security said on Tuesday that no government servers had been compromised.
Trend Micro noted that vendors participating in such security initiatives are expected to patch issues in a timely and effective way. While acknowledging that patches occasionally fail, the firm said SharePoint has experienced similar issues in the past.