Microsoft SharePoint Breach: Over 400 Victims Worldwide

A security vulnerability in Microsoft's SharePoint servers has led to over 400 breaches, mostly in the US, Mauritius, Jordan, South Africa, and the Netherlands. The National Nuclear Security Administration and National Institutes of Health were also affected. The real number of victims may be higher, and state-backed hackers are exploiting the vulnerability in waves.

A significant security vulnerability in Microsoft's SharePoint servers has led to over 400 breaches, predominantly in the United States, Mauritius, Jordan, South Africa, and the Netherlands. The National Nuclear Security Administration (NNSA) and the National Institutes of Health (NIH) were among the affected entities. The real number of victims may be higher, as the attacks are ongoing and the vulnerability has been exploited in waves by state-backed hackers.

The vulnerability, identified as CVE-2025-49706 and CVE-2025-49704, allows attackers to access SharePoint servers and steal keys that can enable deep access into compromised networks. Microsoft has issued patches to address these vulnerabilities, but the extent of the damage is still being assessed. The company has blamed China for the attacks, with several Chinese state-sponsored hacking groups, including Linen Typhoon and Violet Typhoon, exploiting the vulnerabilities [1].

Eye Security, a Dutch cybersecurity firm, initially detected the attacks last week and has since reported that at least 400 servers have been infected with malware, with 148 organizations worldwide breached. The majority of victims are in the US, with significant numbers also reported in Mauritius, Jordan, South Africa, and the Netherlands [2].

The NNSA confirmed that its networks were breached, but it has not yet found evidence that sensitive or classified information was compromised. The NIH was also impacted, and the Department of Health and Human Services is actively monitoring and mitigating the risks posed by the vulnerability [2].

Microsoft has warned customers to apply the on-premises SharePoint Server security updates immediately and follow the detailed mitigation guidance provided in their blog. The company has also linked the Linen Typhoon and Violet Typhoon Chinese state-backed hacking groups with these attacks [1].

The US government and private organizations are collaborating to address the issue, with the Department of Health and Human Services and the US Cybersecurity and Infrastructure Security Agency (CISA) working together to mitigate the risks. The real number of victims may be higher, as the attacks are ongoing and the vulnerability has been exploited in waves by state-backed hackers [2].

References:
[1] https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-servers-also-targeted-in-ransomware-attacks/
[2] https://finance.yahoo.com/news/tally-microsoft-victims-surges-400-135818559.html