A newly uncovered vulnerability in Microsoft’s SharePoint server software has led to a significant cybersecurity intrusion involving government agencies and private organisations around the world.
Among the most high-profile victims is the US National Nuclear Security Administration (NNSA) — the agency that manages the country’s nuclear arsenal.
Although current assessments indicate that no classified or sensitive nuclear information has been compromised, the intrusions have revealed serious flaws in software security practices.
What happened?
The breach emerged after Microsoft announced that hackers were actively exploiting a flaw in on-premises versions of its SharePoint platform — a workplace collaboration system widely used across both public and private sectors.
The flaw allowed attackers to remotely access servers, steal credentials, extract cryptographic keys, and potentially install persistent backdoors for further exploitation.
This type of vulnerability, classified as a “zero-day” when first discovered due to the absence of an immediate fix, offered attackers access to internal systems that were not hosted on Microsoft’s cloud infrastructure.
Microsoft released partial mitigation guidance earlier this month but only issued comprehensive patches for all affected SharePoint versions on Monday, by which time attackers had already begun exploiting the flaw.
The issue does not affect cloud-hosted versions of SharePoint, but organisations that maintained self-managed SharePoint installations have been exposed to considerable risk.
How is China involved?
Microsoft publicly disclosed that at least three threat actors based in China — tracked as Linen Typhoon, Violet Typhoon, and Storm-2603 — were actively using the vulnerability to attack internet-facing SharePoint servers.
Two of these groups are believed to be associated with Chinese intelligence agencies, while the third remains under investigation.
In a blog post published Tuesday, Microsoft stated, “As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities.”
This revelation comes amid a broader cyber exploitation campaign believed to involve multiple hacking entities. According to Microsoft and private security firms involved in the investigation, groups not connected to China have also begun leveraging the same SharePoint flaw to infiltrate targets.
These actors have varying motivations, including data theft, espionage and ransomware deployment.
“It’s critical to understand that multiple actors are now actively exploiting this vulnerability,” Charles Carmakal, Chief Technology Officer at Google’s Mandiant Consulting, told The Washington Post.
“We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well.”
Who in the US has been impacted?
Investigators have confirmed that at least two US federal agencies have been impacted by the breach, with one US official involved in the incident response saying the number could rise to “four to five” or more as the situation unfolds.
A second official confirmed that the number of affected agencies is likely greater than what has been publicly acknowledged so far, reported The Washington Post.
The National Nuclear Security Administration (NNSA) was among the institutions infiltrated, according to a Bloomberg report.
Although preliminary assessments suggest that no classified nuclear-related data was accessed, the fact that the agency responsible for safeguarding nuclear weapons was breached has intensified concerns in national security circles.
Eye Security, a private cybersecurity firm, reported that at least 54 organisations have suffered breaches related to the SharePoint exploit.
The victims include a private US university, a California-based private energy provider, and a federal health agency.
Investigators have also found evidence linking US-based compromised servers to IP addresses inside China during the active exploitation window last weekend.
Despite the mounting evidence implicating Chinese hacking groups, the US government has not officially attributed the campaign to Beijing.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have acknowledged their involvement in addressing the breach but have refrained from commenting on attribution or the total number of agencies affected.
The White House has also declined to issue a statement on China’s possible role.
How has Beijing responded to the allegations?
The Chinese Embassy in Washington responded to inquiries about the incident by reiterating its standard position on cybercrime: “China firmly opposes and combats all forms of cyber attacks and cyber crime — a position that is consistent and clear,” a spokesperson said.
“At the same time, we also firmly oppose smearing others without solid evidence.”
This statement echoes prior Chinese responses to cyber espionage accusations by Western governments. Although China did not deny the allegations outright, it maintained that it is a victim of cyber intrusions as well.
Security researchers assisting US federal investigators have pointed out that some of the early victims were organisations with a strategic interest to the Chinese government.
One analyst noted that network activity from affected SharePoint systems was traced to IP addresses geolocated in mainland China.
“We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor,” said Carmakal, whose firm is directly involved in the response effort.
How is Microsoft dealing with the breach?
Critics argue that Microsoft has failed to adequately safeguard its widely used software, despite its central role in supporting sensitive systems across government and industry.
“Government agencies have become dependent on a company that not only doesn’t care about security, but is making billions of dollars selling premium cybersecurity services to address the flaws in its products,” said US Senator Ron Wyden (D-Oregon) in response to the latest incident.
Democratic lawmakers from the House Homeland Security Committee have requested briefings from Microsoft and CISA concerning Microsoft’s use of China-based engineers for servicing some US government systems.
This is not the first time Microsoft has faced questions about its security posture in the context of Chinese cyber espionage.
In 2023, Chinese-linked actors exploited a different Microsoft vulnerability to gain access to emails of the US ambassador to China and the US Commerce Secretary. That breach prompted a federal review panel to sharply criticise Microsoft’s security practices.
More recently, the Pentagon announced a review of its entire cloud infrastructure, following reports that engineers based in China had been offering technical support for certain Department of Defense systems.
Microsoft has now patched all vulnerable versions of SharePoint impacted by the flaw. The company stated that it is working closely with CISA, the US Department of Defence’s Cyber Defence Command, and other global cybersecurity partners to mitigate the damage.
A Microsoft spokesperson
confirmed that the company has been “coordinating closely” with key stakeholders and is urging customers to implement all security updates immediately.
Beyond patching the flaw, experts recommend that organisations conduct thorough internal reviews. This includes replacing cryptographic keys, deploying advanced anti-malware tools, and auditing systems for signs of compromise.
According to Palo Alto Networks, organisations using SharePoint may also have seen spillover effects into other Microsoft services like Outlook, Teams, OneDrive, and Office, which are often integrated into SharePoint workflows.
The SharePoint exploit is already being described as one of the most serious cybersecurity incidents of US President Donald Trump’s second term.
Also Watch:
With inputs from agencies
