Headline
National Nuclear Security Administration Systems Breached in SharePoint Cyberattack
National Nuclear Security Administration and National Institutes of Health targeted in global Microsoft SharePoint vulnerability exploitation. Chinese hacking groups suspected in widespread data breaches.
A recent global cyberattack campaign, exploiting critical vulnerabilities in Microsoft’s on-premise SharePoint software, has impacted several US government agencies, including the National Institutes of Health (NIH) and the National Nuclear Security Administration (NNSA).
The breaches, which began around Friday, July 18, have prompted immediate action from affected organizations and a strong response from Microsoft, which attributes the attacks to groups linked to the Chinese government.
The NNSA, a division of the Department of Energy responsible for the nation’s nuclear weapons stockpile, confirmed it was affected, but stated that only a “very small number of systems” were impacted. Notably, no classified information was compromised due to NNSA’s widespread use of Microsoft M365 cloud services and strong cybersecurity systems, as reported by Bloomberg News.
“A very small number of systems were impacted. All impacted systems are being restored,” the agency stated.
Similarly, The Washington Post reported that the NIH, a major biomedical research funder, confirmed that at least one SharePoint server system was involved, with eight servers disconnected as a precaution. While one server was compromised, there is no indication that any sensitive information was stolen.
The Washington Post also noted that the California Independent System Operator, which manages most of California’s electric grid, was also targeted. The non-profit “did not confirm nor deny” the breach but confirmed taking immediate actions to contain the threat with no impact on grid reliability.
For your information, these attacks capitalize on a zero-day vulnerability in Microsoft SharePoint. Hackread.com has extensively covered this issue, Microsoft’s investigation and subsequent patches in its recent reports.
So far, what we know is that the vulnerabilities, identified as CVE-2025-49706, CVE-2025-49704, and a variant CVE-2025-53770, allow for network spoofing and remote code execution, giving unauthorized actors full access to SharePoint content, including file systems and internal configurations. These particular flaws affect SharePoint deployments hosted directly by customers, rather than Microsoft’s cloud-based SharePoint Online.
Microsoft has identified three distinct hacking groups, “Linen Typhoon,” “Violet Typhoon,” and “Storm-2603,” all linked to the Chinese government, as being behind these exploitations. These groups are known for targeting government, business, and educational institutions worldwide. The FBI and other relevant agencies are currently investigating the full extent of the compromise.
A Chinese Foreign Ministry spokesperson, when asked about the accusations, stated that China “opposes and fights hacking activities in accordance with the law” and “oppose smears and attacks against China under the excuse of cybersecurity issues.”
Nevertheless, this incident intensifies scrutiny on Microsoft’s security protocols, especially given past criticisms regarding its core products’ vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA)is also facing criticism.
The agency is reportedly facing budget cuts and high staff turnover, which has possibly hampered the timely dissemination of threat warnings to state and local entities, leaving them more susceptible to such pervasive cyber campaigns.
Related news
Get to know the real people behind cybersecurity’s front lines. In this week’s newsletter, sci-fi meets reality, humanity powers technology and a few surprises are waiting to be discovered.
Brave browser now blocks Microsoft Recall by default, preventing screenshots and protecting users’ browsing history on Windows 11.
Microsoft reveals Chinese state-backed hacker groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, are exploiting SharePoint flaws, breaching over 100 organisations. Discover threat actors, their tactics and Microsoft's urgent security guidance.
Microsoft reveals Chinese state-backed hacker groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, are exploiting SharePoint flaws, breaching over 100 organisations. Discover threat actors, their tactics and Microsoft's urgent security guidance.
Microsoft reveals Chinese state-backed hacker groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, are exploiting SharePoint flaws, breaching over 100 organisations. Discover threat actors, their tactics and Microsoft's urgent security guidance.
Hackers are exploiting critical SharePoint flaws (CVE-2025-53770/53771) to breach global targets, including governments and corporations. Microsoft urges immediate action. Learn about the active attacks and how to protect your network from credential theft and backdoors.
Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019.
Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019.
Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019.
On Sunday, July 20, Microsoft Corp. issued an emergency security update for a vulnerability in SharePoint Server that is actively being exploited to compromise vulnerable organizations. The patch comes amid reports that malicious hackers have used the Sharepoint flaw to breach U.S. federal and state agencies, universities, and energy companies.
Microsoft has released new security updates to fix two serious vulnerabilities affecting on-premises SharePoint servers, warning that attackers…
Summary Microsoft is aware of active attacks targeting on-premises SharePoint Server customers. The attacks are exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770. SharePoint Online in Microsoft 365 is not impacted. A patch is currently not available for this vulnerability. Mitigations and detections are provided below.
Summary Microsoft is aware of active attacks targeting on-premises SharePoint Server customers. The attacks are exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770. SharePoint Online in Microsoft 365 is not impacted. A patch is currently not available for this vulnerability. Mitigations and detections are provided below.
Microsoft has released its monthly security update for July 2025, which includes 132 vulnerabilities affecting a range of products, including 14 that Microsoft marked as “critical.”