Microsoft said a critical zero-day chain in on-premises SharePoint servers, tracked as CVE-2025-53770 and CVE-2025-53771, has been exploited since at least 7 July and now affects more than 400 government agencies, companies and other organisations worldwide. The breaches include the US National Nuclear Security Administration and several federal departments, although no compromise of classified data has been confirmed. Redmond issued out-of-band fixes on 20 July for SharePoint Server 2019 and the Subscription Edition, followed by a patch for SharePoint 2016 and expanded guidance on 22 July. The US Cybersecurity and Infrastructure Security Agency added the vulnerabilities to its mandatory patch list, giving federal civilian agencies a 21 July deadline to secure their systems. Microsoft attributes the campaign to three China-linked actors. Linen Typhoon and Violet Typhoon, both long-running espionage groups, used the flaws to steal authentication keys and gain persistent access, while a separate China-based crew, Storm-2603, has begun distributing Warlock ransomware across compromised networks. Security researchers say the number of victims climbed from roughly 60 on 22 July to more than 400 the next day, indicating continued mass scanning of unpatched servers. Eye Security reports that US organisations account for the largest share of known infections, followed by targets in Europe, Africa and Asia. Microsoft is now investigating whether technical information shared through its Active Protections Program leaked, giving attackers advance insight into the vulnerabilities. The company urges customers to apply the latest updates, rotate SharePoint machine keys and enable Antimalware Scan Interface to limit further intrusions.