Microsoft SharePoint Zero-Day Exploit Exposes U.S. National Nuclear Security Administration (NNSA)

A severe zero-day vulnerability in Microsoft SharePoint Server has triggered a cybersecurity crisis, culminating in breaches of over 50 organizations, including the U.S. National Nuclear Security Administration (NNSA) — the agency responsible for America’s nuclear arsenal security. As reported by Bloomberg, Microsoft and federal authorities confirm that the exploit has enabled hackers, reportedly affiliated with the Chinese government, to access sensitive internal networks using a chain of vulnerabilities named “ToolShell” and tracked as CVE-2025-53770 and CVE-2025-53771.

Timeline of the Microsoft SharePoint Zero-Day Attack

• May 2025: Two critical SharePoint bugs first demonstrated at the Pwn2Own hacking contest, later identified as the attack vector for ToolShell.

• July 8, 2025: Microsoft acknowledges initial SharePoint vulnerabilities (CVE-2025-49704/49706) and issues a patch for some, but full exploitation had not yet been observed.

• July 14–17, 2025: Security researchers and Microsoft observe proof-of-concept exploit code released and the first clusters of active attacks targeting organizations.

• July 18, 2025: Breaches begin at several federal agencies, including the NNSA. Hackers gain unauthorized access to on-premises SharePoint servers and connected services.

• July 19–21, 2025: Emergency out-of-band patches released by Microsoft for SharePoint Subscription Edition and 2019, with mitigation steps for SharePoint 2016 pending.

• July 22–23, 2025: More than 50 organizations confirmed as breached, with advisory updates from Microsoft, CISA, and cybersecurity firms.

Details of the SharePoint Vulnerabilities (ToolShell)

ToolShell is the name given to the new SharePoint zero-day attack chain, exploiting CVE-2025-53770 (a critical remote code execution flaw) and CVE-2025-53771 (a server spoofing bug).

• CVE-2025-53770: Allows unauthenticated attackers to execute arbitrary code on vulnerable SharePoint servers due to insecure data deserialization. CVSS score: 9.8/10.

• CVE-2025-53771: Enables server spoofing by bypassing directory restrictions.

On-Premises at Risk:
Only on-premises versions of SharePoint Server are affected. SharePoint Online and Microsoft 365 cloud-hosted environments remain secure.

Attack Impact:

• Complete system compromise

• Unauthorized access to sensitive documents and credentials

• Potential lateral movement to linked apps (Teams, OneDrive, Outlook)

• Persistent, unauthenticated access that could potentially evade future patches

U.S. National Nuclear Security Administration Breached

The NNSA, part of the U.S. Department of Energy, was one of the highest-profile targets. Hackers leveraged the SharePoint bug to access a “small number of systems,” but no classified or sensitive nuclear data was compromised. This limited impact is credited to the agency’s extensive adoption of Microsoft 365 cloud solutions, robust cybersecurity defenses, and quick mitigation actions. All affected systems are reportedly in the process of being restored.

Other U.S. federal and state agencies, universities, and energy companies were also reportedly attacked (via The Verge), with the campaign echoing fears about cyber-espionage and critical infrastructure security.

Who Is Behind the Attacks?

Microsoft’s investigation, corroborated by federal cybersecurity agencies, points to sophisticated groups linked to the Chinese government — notably “Linen Typhoon,” “Violet Typhoon,” and “Storm-2603.” Their operations appear part of broader cyber-espionage efforts targeting not only U.S. government infrastructure but also global organizations, especially those involved in critical sectors.

How Was the Exploit Used?

Hackers exploited the on-premises SharePoint servers through the ToolShell chain, enabling them to:

• Install malicious web shells for persistent access

• Exfiltrate credentials, internal files, and configurations remotely

• Move laterally to other systems interconnected via SharePoint

Initial exploit attempts began in early July, intensifying rapidly after exploit code became available online and before Microsoft could roll out a comprehensive fix. Attackers used attack techniques recognizable from cybersecurity competitions and proof-of-concept code made public within days after the CVEs were disclosed. Evidence shows dozens of distinct compromise attempts across government, telecom, and tech sectors since July 7th.

Microsoft’s Emergency Response and Patch Details

In direct response to these attacks, Microsoft has:

• Released emergency security updates for SharePoint Server 2019 and Subscription Edition

• Advised immediate patching and additional mitigations:

  • Enable AMSI detection

  • Rotate ASP.NET machine keys

  • Isolate public-facing SharePoint servers

• Communicated fixes are ongoing for legacy versions, specifically SharePoint Server 2016

Microsoft and cybersecurity agencies emphasize that SharePoint Online and Microsoft 365 cloud environments are not vulnerable to these exploits.

Security Recommendations for All SharePoint Users

• Apply all available SharePoint security patches right now, prioritizing on-premises deployments.

• Isolate exposed SharePoint servers from the Internet where feasible.

• Regularly rotate server credentials and machine keys.

• Implement advanced monitoring (AMSI, endpoint security, intrusion detection systems).

Longer-Term Best Practices

• Migrate to Microsoft 365 or cloud-hosted SharePoint where possible, as these versions are more resilient to such attacks.

• Conduct regular security assessments and penetration testing.

• Limit SharePoint integrations to only essential applications and networks.

Industry Impact

The ToolShell exploit has cast a spotlight on ongoing vulnerabilities in self-hosted enterprise collaboration software and highlighted the urgent need for proactive patching and real-time threat intelligence.

Industry reaction includes:

• CISA adding CVE-2025-53770 to its catalog of known exploited vulnerabilities.

• Government and private sector partners accelerating cloud migrations.

• Renewed debate about risks of centralized, widely deployed platforms for critical functions.

The latest SharePoint zero-day cyberattack represents a wake-up call for organizations managing on-premises servers. While Microsoft and security authorities moved quickly to patch these vulnerabilities, the incident underlines the critical importance of defense-in-depth practices, rapid patch application, and a shift to more secure cloud services wherever possible.

If your organization runs self-hosted Microsoft SharePoint, patch immediately and review incident response procedures.

For continuous Microsoft news and cybersecurity insights, bookmark msftnewsnow.com and subscribe for real-time updates.