Chinese hackers gained unauthorized access to a U.S. nuclear agency through a vulnerability in Microsoft's SharePoint platform.
In a concerning turn of events, multiple Chinese state-aligned hacking groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, have been actively exploiting a critical vulnerability in Microsoft's SharePoint software since July 7, 2025.
The attack, dubbed the ToolShell exploit, involves a chain of two key vulnerabilities: CVE-2025-49704, a spoofing vulnerability, and CVE-2025-49706, a remote code execution vulnerability. This combination enables unauthorized remote access and control over vulnerable SharePoint servers, potentially allowing attackers to deploy ransomware and access sensitive operational data stored in government SharePoint environments.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken swift action, adding these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on July 22, 2025. This directive mandates all Federal Civilian Executive Branch agencies to patch affected SharePoint systems by July 23, 2025, underscoring the severity of the threat and ongoing attacks against critical infrastructure.
Microsoft has released security patches for affected SharePoint versions (2016, 2019, Subscription Edition) and strongly recommends users install these updates immediately. Additionally, the tech giant advises enabling security features such as the Antimalware Scan Interface (AMSI) with Microsoft Defender Antivirus in Full Mode and rotating SharePoint server ASP.NET machine keys to mitigate further exploitation.
The breach has affected hundreds of organizations globally, including numerous U.S. government agencies such as the Department of Homeland Security, Department of Health and Human Services, Department of Education, and National Nuclear Security Administration. European and Middle Eastern governments have also reported compromises.
Security expert Carlos Perez described the vulnerability as one that, if left unpatched, could be weaponized to hijack critical infrastructure. Dutch cybersecurity firm Eye Security reported the compromises.
Microsoft has confirmed the breach of its SharePoint software by Chinese hackers and is actively investigating additional threat activity leveraging these vulnerabilities. The company urges all customers to install the security updates immediately to protect their systems.
In summary, the attack exploited two critical SharePoint vulnerabilities, allowing Chinese state-related hackers to breach and conduct ransomware campaigns in government networks worldwide. Immediate patching and enhanced security measures are essential to prevent further intrusions.
- The ToolShell exploit, targeting Microsoft's SharePoint software, has become a significant concern in the realm of cybersecurity, as it is being actively exploited by Chinese state-aligned hacking groups.
- The breach of Microsoft's SharePoint software by Chinese hacking groups, like Linen Typhoon and Violet Typhoon, has raised political and general-news concerns, as it has affected numerous government agencies across the globe, including the United States and Europe.
