Chinese-linked hackers exploit new SharePoint flaw, US nuclear agency among 60 confirmed victims

Chinese state-sponsored hacking groups are exploiting a critical Microsoft SharePoint vulnerability to infiltrate organisations worldwide, including the US National Nuclear Security Administration, cybersecurity investigators say. Microsoft has urged customers running on-premises SharePoint to patch immediately.

Rapid spread after faulty first patch

The zero-day chain, now tracked as CVE-2025-53770 and CVE-2025-53771, began circulating shortly after Microsoft’s initial 8 July security update proved ineffective, leaving thousands of servers open to remote code execution.

High-profile US breaches

Confirmed US victims include the National Nuclear Security Administration, parts of the Department of Energy, the Department of Education, Florida’s Department of Revenue and the Rhode Island General Assembly. Officials say no classified data was taken from the nuclear agency, but attackers accessed departmental systems on 18 July before containment actions began.

Global victim tally grows

Dutch security firm Eye Security has observed compromises on more than one hundred servers spanning at least sixty organisations, including energy producers, consultancies and universities in North America, Europe, the Middle East and Asia. CrowdStrike researchers say early activity resembled government-sponsored operations before widening into a broader campaign that bears hallmarks of Chinese actors.

How the attackers persist

The exploit lets intruders steal authentication keys, enabling them to impersonate users across Microsoft services such as Office, Teams and OneDrive even after servers are patched. Backdoors can survive reboots and routine updates, giving attackers long-term footholds.

Beijing dismisses allegations

The Chinese Embassy in Washington said Beijing “firmly opposes all forms of cyberattacks” and criticised what it called unfounded speculation linking the intrusions to China.

Microsoft faces renewed scrutiny

The incident adds to pressure on Microsoft after several high-profile security lapses. A 2024 US government review said the company needed urgent reforms to improve product resilience. Microsoft says it is highly confident more threat actors will adopt the SharePoint exploits and has released additional patches while its investigation continues.

What organisations should do now

Security experts urge customers to install the latest SharePoint updates, review logs for suspicious logins and rotate credentials for any accounts stored on vulnerable servers. Michael Sikorski of Palo Alto Networks’ Unit 42 described the situation as “a high-severity, high-urgency threat,” warning that SharePoint’s deep integration with other Microsoft services amplifies the potential damage from a single breach.

Photo Credit: DepositPhotos.com