US nuclear agency breached by Chinese hackers, exploiting a vulnerability in Microsoft systems
In a concerning development, a global cyberattack has been confirmed, targeting Microsoft SharePoint servers through two critical vulnerabilities: CVE-2025-53770 and CVE-2025-53771 [1][3]. These vulnerabilities have been exploited by at least three Chinese government-backed hacking groups, Linen Typhoon, Violet Typhoon, and Storm-2603 [1][3].
These zero-day variants of previously disclosed SharePoint vulnerabilities (CVE-2025-49706 and CVE-2025-49704) were patched earlier by Microsoft. However, hackers quickly found a way around these patches, leading to renewed exploitation [1][3][4].
The attack method involves bypassing multifactor authentication and single sign-on systems, granting full access to SharePoint content and enabling remote execution of arbitrary code [1][2][4]. This exploit, known as "ToolShell," facilitates persistent backdoor deployments and theft of sensitive data such as cryptographic keys [1][4].
The campaign has had significant impact, with more than 400 victims identified globally, including critical U.S. government agencies and multiple organizations across various sectors [2][4]. Among the targets is the National Nuclear Security Administration, responsible for the U.S. nuclear weapons arsenal [1].
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these CVEs to its Known Exploited Vulnerabilities catalog and issued urgent advisories, urging rapid patching [2][4]. Attackers began exploiting the flaws as early as July 7, 2025, targeting internet-facing SharePoint servers in multiple attack waves [1][2].
Microsoft has released security updates for SharePoint on Monday [5], and federal agencies were required to apply the patches within 24 hours by CISA [2][4]. However, it's important to note that the patches do not guarantee full security due to persistent backdoors [2].
The breach of the National Nuclear Security Administration (NNSA) reflects a qualitative change in the offensive capabilities of international cyberespionage. In a connected world, digital defense becomes a country's first line of protection, with security measured in lines of code, patches, and invisible redundant systems [6].
The threat remains active, with more than 10,700 SharePoint instances still exposed globally [2]. This attack highlights the continuing risks of zero-day vulnerabilities in widely used enterprise software and the growing sophistication of nation-state cyberespionage campaigns. Immediate patching of Microsoft SharePoint servers is strongly recommended to mitigate active exploitation [1][2][4].
| Aspect | Details | |----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Threat actors | Chinese state-backed groups: Linen Typhoon, Violet Typhoon, Storm-2603 | | Vulnerabilities exploited | CVE-2025-53770 (critical remote code execution), CVE-2025-53771 (security bypass) — patch bypasses of CVE-2025-49706 and CVE-2025-49704 | | Impacted targets | Over 400 victims worldwide including U.S. federal agencies (notably a nuclear agency), global governments, corporations, universities | | Attack method | Bypass multifactor authentication and single sign-on; full SharePoint content access; persistent backdoors; cryptographic key theft | | Timeline | Exploitation began early July 2025; multiple attack waves detected | | Responses | Microsoft patched vulnerabilities; CISA issued advisories and added CVEs to known exploited list; security researchers urge immediate patching and mitigation |
Sources: [1] The Hacker News (2025). Breaking: Microsoft SharePoint Zero-Day Vulnerabilities Exploited by Chinese State-Sponsored Hackers [2] ZDNet (2025). Microsoft SharePoint zero-day vulnerabilities exploited by Chinese state-sponsored hackers [3] BleepingComputer (2025). Chinese APT Group Hacks U.S. Nuclear Agency, Multiple Other Organizations Worldwide Using Microsoft SharePoint Zero-Day [4] CyberScoop (2025). Microsoft SharePoint zero-day exploited by Chinese state-sponsored hackers, CISA warns [5] Microsoft Tech Community (2025). Security Update for Microsoft SharePoint Server July 2025 [6] The Conversation (2021). In a connected world, digital defense becomes a country's first line of protection
- Politicians and tech companies must collaborate urgently to address the ongoing threat posed by the exploitation of zero-day vulnerabilities in widely used enterprise software, like the recent attacks on Microsoft SharePoint servers.
- The continuous monitoring and updating of cybersecurity measures in technology infrastructure are crucial in light of persistent threats from nation-state cyberespionage groups, as demonstrated by the recent campaign using the "ToolShell" exploit on SharePoint servers.
