A recent global cyberattack has targeted critical vulnerabilities in Microsoft’s on-premises SharePoint software, affecting multiple U.S. government agencies, including the National Institutes of Health (NIH) and the National Nuclear Security Administration (NNSA).
The breaches were first reported around Friday, July 18, prompting swift action from the impacted organizations and a robust response from Microsoft, which has linked the attacks to state-sponsored groups from China.
The NNSA, responsible for overseeing the nation’s nuclear arsenal, confirmed a breach but indicated that only a “very small number of systems” were compromised. Importantly, due to the agency’s extensive deployment of Microsoft M365 cloud services and robust cybersecurity measures, no classified information was believed to be at risk, as reported by various news outlets.
The agency stated, “A very small number of systems were impacted. All affected systems are being restored.” Similarly, NIH reported that one of its SharePoint servers was involved in the breach, leading to eight servers being disconnected as a precaution. While one server was compromised, there is currently no evidence of any sensitive information being extracted.
Additionally, reports indicate that the California Independent System Operator, which oversees much of California’s electric grid, was targeted as well. While it has not confirmed any damage, the organization has taken immediate steps to mitigate the threat, assuring there has been no impact on grid reliability.
The attacks exploit zero-day vulnerabilities identified as CVE-2025-49706, CVE-2025-49704, and a variant CVE-2025-53770. These vulnerabilities permit network spoofing and remote code execution, allowing unauthorized users extensive access to SharePoint content, including file directories and internal configurations. Importantly, these flaws affect on-premises SharePoint installations rather than Microsoft’s cloud-based SharePoint Online platform.
Microsoft has identified three distinct hacking groups—“Linen Typhoon,” “Violet Typhoon,” and “Storm-2603,” all believed to have affiliations with the Chinese government. These groups are known for targeting entities within government, business, and educational sectors worldwide. The FBI and other relevant authorities are currently investigating the full extent of these breaches.
This incident raises significant concerns about Microsoft’s security protocols, given previous criticism regarding vulnerabilities within its core products. The Cybersecurity and Infrastructure Security Agency (CISA) is also under scrutiny, particularly as it faces budgetary constraints and high employee turnover, possibly hindering timely warnings to state and local entities. This situation accentuates the need for robust cybersecurity measures against increasingly sophisticated cyber threats.
