Microsoft confirms SharePoint vulnerabilities have been exploited by suspected Chinese hackers, as reports indicate the US Nuclear Security Administration may have been among those compromised

Posted by

July 23, 2025

On July 23, 2025

Following on from Microsoft’s warning earlier this week that “active attacks” were targeting its SharePoint Server customers through a known exploit, the company has now released a blog post revealing more details about the breach. According to MS, on-premises SharePoint servers were determined to have been attacked by three allegedly Chinese nation-state actors, Linen Typhoon, Violet Typhoon, and Storm-2603, via a known spoofing vulnerability and a remote code execution vulnerability.

Reuters reported on Monday that, according to Vaisha Bernard, chief hacker at Eye Security, around 100 organisations were compromised as of the weekend. The Shadowserver Foundation said that most of those affected were in the United States and Germany, and the victims included government organisations.

Bloomberg has since reported that “a person with knowledge of the matter” confirmed that hackers used the SharePoint flaws to break into the US National Nuclear Security Administration, among others, although no sensitive or classified information was compromised. The US federal agency is responsible for managing and maintaining the US nuclear weapons stockpile, along with providing nuclear propulsion plants for US submarines and promoting international nuclear safety.

A security patch released earlier this month appears to have failed to fix the vulnerabilities, which were said to be first identified in May at a hacking competition in Berlin.

Microsoft says that only on-prem servers were affected by the hack, and that the vulnerabilities in question (CVE-2025-49706 and CVE-2025-49704 respectively) have since been successfully patched out in all supported versions of SharePoint Server. MS advises that “customers should apply these updates immediately” to ensure they are protected.

A processed photo of a data center server room, showing racks of computers lit by overhead lights, reflecting off the ground.

(Image credit: quantic69 via Getty Images)

“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” the company continues.

“Customers should also integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode. Customers should also rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions.”

I’d imagine all that might be quite the headache for sysadmins working with SharePoint servers, but at this point it’s probably better to be safe than sorry. The hacking groups identified are said to have prior form, with Linen Typhoon and Violet Typhoon supposedly responsible for a litany of digital crimes, including stealing intellectual property, enacting government and military espionage, and exploiting digital weaknesses to install web shells.

A stylised photograph of a person acting as a hacker, break into servers and infecting them with a virus, as show by computer monitors displaying green text and codes Their System with a Virus

(Image credit: Witthaya Prasongsin via Getty Images)

Storm-2603, meanwhile, appears to be more mysterious. MS says that it has assessed the group with “medium confidence” to be a China-based threat actor, although it’s been unable to link it directly with the hacking groups above. Reuters also reports that the Chinese embassy in Washington has already released a statement confirming that China is against all forms of cyberattacks, and that it firmly opposes “smearing others without solid evidence.”

“We hope that relevant parties will adopt a professional and responsible attitude when characterizing cyber incidents, basing their conclusions on sufficient evidence rather than unfounded speculation and accusations,” the embassy said.

In 2023, Microsoft hit the headlines over a high-profile US government email hack, also attributed to Chinese hacking groups. The federal Cyber Safety Review board later released a report on the incident, identifying a “cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed.” Given that Microsoft’s server infrastructure seems so innately tied to sensitive US government operations at this point, and the potential severity of this particular breach, it remains to be seen whether the US government will order a similar review again.