Key Takeaways:

• Chinese state-affiliated hackers exploited a vulnerability in Microsoft SharePoint long after the software’s support had ended.
• The attack, tied to the Flax Typhoon group, targeted unpatched SharePoint 2013 servers that reached end-of-life in April 2023.
• Security researchers warn this type of incident could foreshadow a wave of legacy software exploitation as more enterprise tools age out of support.
• Experts urge organizations to inventory and sunset legacy infrastructure to prevent further national security risks.

---

As cybersecurity teams race to adopt AI tools and zero trust frameworks, some of the most critical threats continue to emerge from basic IT hygiene failures—like unpatched, outdated software. That reality came into focus again this week after Microsoft confirmed that Chinese-linked hackers breached organizations by targeting SharePoint 2013 servers that had reached end-of-life and were no longer receiving security updates.

The campaign, attributed to a threat actor known as Flax Typhoon (also tracked as Ethereal Panda), capitalized on CVE-2023-29357, a vulnerability affecting SharePoint’s authentication mechanism. Though Microsoft released a patch for the flaw in June 2023, it did not apply to versions of SharePoint that had already aged out of support—including SharePoint Server 2013. According to researchers, Flax Typhoon began actively exploiting the issue months later.

In related news we’ve reported, New Coyote Malware Variant Exploits Windows UI Automation to Evade Detection and Steal Banking Credentials, Automotive Security Under Scrutiny After Major Vulnerabilities Exposed in Connected Cars, Clorox Sues Cognizant for $380 Million Over Credential Mishandling in Cyberattack, US Nuclear Weapons Agency Breached in Microsoft SharePoint Cyberattack, Chinese Threat Actor Targeted Microsoft SharePoint in ToolShell Malware Campaign, Chinese Hackers Breached US National Guard Networks, Stay Hidden for Months, Ukrainian Hackers Claimed Devastating Cyberattack on Russian Drone Manufacturer Gaskar Group and the Trump Administration Allocated $1 Billion for Offensive Cyber Operations.

The Threat from Outdated Infrastructure

The SharePoint exploit underscores a mounting concern in cybersecurity: how quickly outdated infrastructure can become a national security risk. Many organizations still run legacy systems like SharePoint 2013 internally, especially where workloads are deeply embedded into business processes. But once those tools lose vendor support, they become high-value soft targets for advanced persistent threat (APT) groups.

“The moment support ends, the patching stops, but attackers don’t,” said a security researcher familiar with the case. “Nation-state actors know which systems are still widely deployed and lagging behind. They plan around it.”

Despite Microsoft’s clear warnings about the end of support for SharePoint 2013 in April 2023, telemetry data suggests many organizations did not migrate in time. The result was predictable: an attack surface that widened over time as patch coverage dropped and vulnerability awareness faded.

How the Attack Worked

CVE-2023-29357 allows for privilege escalation, meaning a malicious actor can impersonate an authenticated user on a SharePoint instance and gain administrative access. The vulnerability does not require user interaction, making it particularly useful for stealthy initial access operations.

Flax Typhoon reportedly chained this vulnerability with other known issues to establish persistence, move laterally within target networks, and exfiltrate sensitive data. The full scope of the intrusion remains classified, but sources suggest the victims include government agencies and critical infrastructure operators in Asia and North America.

Microsoft has since updated its guidance to strongly recommend migrating to supported SharePoint versions or cloud-based SharePoint Online. However, the breach also highlights a structural limitation: support timelines are not always aligned with enterprise migration cycles, particularly in sectors with compliance-heavy documentation systems.

A Growing Pattern

This isn’t the first time Chinese state-sponsored actors have been linked to exploits involving outdated Microsoft tools. The Hafnium campaign in 2021 relied heavily on flaws in on-premise Exchange Servers—many of which were also behind on patches or end-of-life. The parallels are troubling.

While the federal government has begun mandating software bill-of-materials (SBOMs) and inventory tracking for critical suppliers, private sector compliance remains inconsistent. Many smaller organizations lack the visibility or resources to phase out aging systems.

According to some experts, these events reveal a deeper problem: cybersecurity frameworks often assume software lifecycles are neatly managed, but the reality is far messier.

Policy and Industry Implications

There are growing calls for industry-wide frameworks to manage legacy tech risk. Some experts propose a “responsible decommissioning” initiative that mirrors responsible disclosure—encouraging vendors and users to publicly signal end-of-life dates and offer transparent migration paths.

Others say mandates may be necessary. “If a piece of software can compromise national security and it’s no longer supported, its operators need to be held to account,” one policy analyst stated. “That includes requiring inventories and proof of phase-outs in regulated industries.”

Microsoft, for its part, has not commented on whether extended support options or alerts could be improved. The company did note that it routinely works with CISA and global cybersecurity agencies to surface urgent threats and guidance.

A Warning for the Future

As the industry turns its attention to AI-driven threats and complex zero-day chains, the SharePoint incident is a reminder that low-tech risks still pack a punch—especially when paired with state-sponsored intent.

With more enterprise software nearing end-of-life milestones over the next 24 months, the concern is that other tools—like older Citrix, Oracle, and even SAP systems—may become the next target set. Attackers don’t need novel exploits when simple neglect creates the opportunity.

Organizations are advised to perform risk-based assessments of all unsupported software, prioritize cloud migration or vendor-supported alternatives, and adopt a culture of lifecycle vigilance.

Learn how AI Agents can supercharge your company’s profits and productivity at TMC’s AI Agent Event, Sept 29-30, 2025 in DC.

If you liked this post, you’ll love one of the the leading global business communications and technology events since 1999, the ITEXPO #TECHSUPERSHOW, Feb 10-12, 2026 Fort Lauderdale, Florida.

Don’t forget the collocated MSP Expo – just for managed service providers!

Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.

The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.

Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing