Chinese Hackers Exploit Active 0-Day Vulnerability in SharePoint Servers

Microsoft has confirmed that Chinese nation-state actors are actively exploiting zero-day vulnerabilities in on-premises SharePoint servers, prompting urgent security updates and immediate patching recommendations for organizations worldwide.

Vulnerability Discovery and Active Exploitation

On July 19, 2025, Microsoft Security Response Center disclosed that multiple Chinese threat actors have been exploiting two critical vulnerabilities affecting on-premises SharePoint servers: CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability. 

These vulnerabilities do not affect SharePoint Online in Microsoft 365, but pose significant risks to organizations running on-premises installations.

Microsoft’s investigation reveals that exploitation attempts began as early as July 7, 2025, with threat actors targeting internet-facing SharePoint servers through crafted POST requests to the ToolPane endpoint.

The company has observed rapid adoption of these exploits across multiple threat groups, assessing with high confidence that additional actors will continue integrating these vulnerabilities into their attack campaigns.

Three distinct Chinese threat actors have ...