Vulnerability in SharePoint software extends to 400-plus businesses, among them the United States nuclear administration.
In a concerning development, over 75 companies and organizations worldwide have been breached due to active exploitation of the SharePoint zero-day vulnerability CVE-2025-53770, with attackers using this flaw to gain unauthorized remote code execution on on-premises SharePoint Servers.
The attacks, part of a large-scale campaign, were first reported in the wild around July 18, 2025, and Microsoft publicly acknowledged them on July 19, issuing security bulletins and patches for SharePoint Subscription Edition and 2019, with a patch for SharePoint 2016 forthcoming.
These vulnerabilities allow attackers to upload malicious files and extract cryptographic secrets, enabling them to forge authenticated payloads and remotely execute code without authentication. Microsoft attributes these attacks primarily to Chinese threat actors and recommends mitigation via AMSI integration and Defender AV deployment on SharePoint servers to prevent exploitation in the absence of patches for some environments.
The breaches have targeted a wide range of organizations, including government agencies, education departments, and technology services. One of the highest profile agencies involved is the National Nuclear Security Administration, a U.S. agency that maintains the nation's stockpile of nuclear weapons.
Hackers may have already gained access to many of the targeted servers, even though Microsoft has issued patches to fix the flaws. Researchers have warned that the number of hacked companies may still grow due to methods that compromise servers without leaving traces.
The Linen Typhoon, Violet Typhoon, and Storm-2603 groups, all believed to be Chinese state-sponsored hacking groups, are said to have exploited the SharePoint vulnerabilities in the wild. Other opportunistic hackers may continue to exploit vulnerable servers.
Companies who have not yet issued a patch for their SharePoint servers are advised to do so immediately, following Microsoft's instructions which include rotating machine keys and analyzing logs and file systems for signs of system exploits. It is crucial for organizations to prioritize security measures to protect their sensitive data and maintain the trust of their stakeholders.
Cybersecurity experts are closely monitoring the situation as attacks using the SharePoint zero-day vulnerability CVE-2025-53770, initially reported in July 2025, continue to impact a wide range of organizations, including those in the technology, general-news, and crime-and-justice sectors. The breaches have been primarily linked to Chinese threat actors, such as the Linen Typhoon, Violet Typhoon, and Storm-2603 groups, and the use of these vulnerabilities allows attackers to extract cryptographic secrets and gain unauthorized remote code execution. Organizations are urged to prioritize cybersecurity measures, including applying patches, rotating machine keys, and deploying protection tools like AMSI and Defender AV, to mitigate the risk of further cyberattacks and protect sensitive data.
