It’s not really a surprise, but at least one of the actors behind the first attacks via the Microsoft SharePoint zero-day that is currently causing quite a stir is considered a so-called “China-nexus threat actor.”
We predicted this earlier today in our comprehensive article on the Microsoft SharePoint zero-day: given the targets of the attacks, the initial attackers are most likely to be found within the domain of state actors. Enquiries made by BleepingComputer of Google Cloud’s Mandiant Consulting CTO Charles Carmakal confirm our suspicion.
More attackers and attacks
In itself, the above was to be expected. However, this indication or fact is now no longer extremely relevant for organizations that could potentially be targeted. Carmakal also indicates that multiple parties are now exploiting the zero-day. These could be attackers sponsored by other countries, but also attackers with no clear ties to a specific country. The latter are likely to have other motives, such as IP theft or stealing other trade secrets.
A so-called PoC exploit for CVE-2025-53770 is now available on GitHub. Although it is intended for educational purposes, it is of course also accessible to people with less noble intentions. This ultimately makes it easier for more attackers to get started.
Of course, on the other hand, people are working hard to fix everything. This increase in availability does not necessarily mean that the problem will only get worse. However, it is important to patch all on-premises Microsoft SharePoint servers, even if you think you are not affected or will not be affected. It is also important to renew the ASP.NET Machine keys.