Reports suggest that Chinese‑linked hackers exploited two unpatched flaws in on‑premises SharePoint to breach around 100 organizations in a single weekend. Microsoft (MFT) rushed out fixes and urged everyone to update right away.
On July 19, the Microsoft Security Response Center flagged a spoofing bug (CVE‑2025‑49706) and a remote code execution hole (CVE‑2025‑49704) in on‑premises SharePoint.
Advanced groups known as Linen Typhoon and Violet Typhoon have been chaining these vulnerabilities to slip into servers, and a less familiar actor called Storm‑2603 is now using them too. Their favorite targets include government agencies, think tanks and universities across the U.S., Europe and East Asia.
If your IT team hasn't applied the new SharePoint patches, any exposed server is at risk of having data — from defense plans to donor lists — stolen overnight.
Microsoft pointed out that SharePoint Online in Microsoft 365 isn't affected, making the cloud version a safer bet when it comes to rapid security updates.
Rolling out fixes is one thing; getting them installed in complex, custom environments is another. Until everyone catches up, expect more breach headlines. This incident is a stark reminder of why many organizations are accelerating moves from traditional on‑premises software to cloud‑hosted alternatives.
