US nuclear agency hacked via critical SharePoint vulnerability

Reports of attacks against federal and state agencies are emerging after news that China-linked hackers were responsible for exploiting vulnerabilities in Microsoft SharePoint recently.

Based on a July 22 Bloomberg report and other reports, the U.S. National Nuclear Security Administration, U.S. Education Department, Florida’s Department of Revenue, and the Rhode Island General Assembly were among the organizations exploited by various reported SharePoint zero-day bugs.

Other organizations were exploited worldwide, including those in the Middle East and Europe.

Microsoft reported in a July 22 blog that two Chinese nation-state actors — Linen Typhoon and Violet Typhoon — targeted internet-facing SharePoint servers and exploited the bugs. Microsoft also reported that China-based threat actor Storm-2603 exploited SharePoint servers.

According to Bloomberg, no sensitive or classified information was known to have been compromised at the U.S. nuclear agency.

Responses to the hack at the U.S. nuclear agency were mixed. Some felt the exposure was limited, while others were very concerned given that it’s the agency responsible for maintaining and designing the country’s nuclear weapons.

“China’s hackers are very good and China wants your data,” said Kevin Surace, chair at Token. “Less for ransomware and more for nefarious reasons, from stealing IP to learning about U.S. nuclear readiness. Look folks, this is all bad perpetrated by bad actors who are very good at exploiting vulnerabilities faster than your team can patch them. Patch now, or take them offline until you do so. It’s an imperative. Or just hand China your secrets: You choose.”

Despite the warning from Surace, others were not as concerned.

“Entities like the nuclear weapons agency running older deployments should have lower exposure thanks to careful information classification and network segmentation requirements, validated by federal audits and oversight," said Trey Ford, CISO Americas as Bugcrowd. “This  assumes those controls are thoroughly assessed and effectively enforced.”

Peled Eldan, head of research at XM Cyber, said Microsoft's cloud solutions and strong cyber defenses appear to have limited the agency's exposure.

“This breach is a stark reminder that even the most sensitive government organizations remain at risk from rapidly weaponized vulnerabilities and emphasizes the urgency of CISA’s mandate for immediate patching and robust monitoring," Eldan continued. "For peer organizations, this attack underscores the importance of prioritizing updates on all externally accessible systems, swiftly rotating sensitive credentials, and closely auditing for signs of compromise, especially where attackers may have gained persistence before patches were applied.”

Based on evidence of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) added two more SharePoint bugs in its July 22 advisory to its Known Exploited Vulnerabilities (KEV) catalog.

The two bugs were a remote code execution (RCE) flaw and a spoofing bug: CVE-2025-49704 (RCE) and CVE-2025-49706 (spoofing). Civilian agencies are required to patch these two new bugs by end-of-day on July 23.

Microsoft cleared up some confusion around the first SharePoint CVEs reported in its July 22 blog by making clear that only CVE-2025-53770 was exploited in the wild. As of Wednesday, CVE-2025-53771 has not been exploited