Microsoft SharePoint Hack Affects Over 400 Organizations, Including US Nuclear Agency.

A security flaw in Microsoft's SharePoint servers has affected around 400 organizations, including the US Nuclear Security Agency. The vulnerability was exploited by Chinese state-backed hacking groups. Microsoft has issued security patches, but experts warn that hackers may already have access to networks. The breaches are adding to US-China tensions over hacking and trade.

Microsoft has released critical security updates to address vulnerabilities in its on-premises SharePoint servers, which have been actively exploited by Chinese state-backed hacking groups. The vulnerabilities, CVE-2025-49706 and CVE-2025-49704, affect on-premises SharePoint servers and do not impact SharePoint Online in Microsoft 365. The security patches are crucial for protecting against potential unauthorized access and data breaches.

According to the Microsoft Security Response Center (MSRC), the vulnerabilities were first observed being exploited by Chinese nation-state actors, including Linen Typhoon and Violet Typhoon, as well as another China-based threat actor, Storm-2603. These groups have been targeting internet-facing SharePoint servers, with the latest exploit attempts dating back to July 7, 2025.

The security updates, which include fixes for CVE-2025-53770 and CVE-2025-53771, are designed to protect against the vulnerabilities and mitigate the risks of unauthorized access and data theft. Microsoft recommends that all customers using supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) apply these updates immediately.

In addition to applying the security updates, Microsoft advises customers to integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus on all on-premises SharePoint deployments. Customers should also rotate SharePoint server ASP.NET machine keys and restart Internet Information Services (IIS) to enhance security.

The breaches have raised concerns about the security of critical infrastructure, including the US Nuclear Security Agency, which was among the organizations affected. The incidents are adding to existing tensions between the US and China over cybersecurity and trade issues.

Microsoft Defender XDR customers can use the platform to detect, prevent, investigate, and respond to threats, including those related to the SharePoint exploitation activity. The company has also provided indicators of compromise (IOCs) and hunting queries to help organizations identify and mitigate potential threats.

References:
[1] https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/