Agencies race against time to address potential weaknesses in SharePoint security
A critical remote code execution (RCE) vulnerability, known as **CVE-2025-53770**, has been discovered in Microsoft's SharePoint software, posing a significant threat to organisations running on-premises versions of the platform. This zero-day vulnerability allows hackers to steal sensitive private keys from affected servers, enabling them to deploy malware, access internal files and data, and move laterally within the network to compromise other systems[1][3].
The vulnerability, which bypasses previous patches released for earlier SharePoint vulnerabilities, has been exploited by multiple China-backed hacker groups since at least early July 2025[1]. These groups, including 'Linen Typhoon,' 'Violet Typhoon,' and 'Storm-2603,' have varying motives, ranging from intellectual property theft to ransomware deployment[1].
One of the high-profile victims of this cyber attack is the US National Nuclear Security Administration (NNSA), whose SharePoint 2019 Edition servers were breached. This compromise reportedly impacted critical operations, including the Navy’s nuclear submarine reactor programs, posing severe risks to national security due to potential access to military secrets and sensitive defence technologies[2][3].
Over 100 organisations, spanning private companies and government entities, have been affected globally, emphasising the widespread damage potential of this campaign[2].
The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of the SharePoint vulnerability and added it to its known exploited vulnerabilities catalog[4]. In response, Microsoft released emergency patches for the vulnerability on Monday[5]. Prior to the release of the patches, security analysts and Microsoft were recommending that organisations disconnect any impacted SharePoint servers from the internet as a temporary band-aid fix[5].
Organisations running on-premises SharePoint are urged to take immediate action, applying all relevant patches, rotating all cryptographic material, and engaging professional incident response teams[6]. Microsoft also recommends activating and configuring the "Antimalware Scan Interface," and deploying Microsoft Defender or another endpoint detection and response capability[6].
This zero-day vulnerability is part of a broader chain of SharePoint zero-days initially demonstrated in early 2025 and named ToolShell[3]. The discovery of this latest vulnerability underscores the sophisticated nature of cyber adversaries' ability to evolve exploits quickly, even after patches are released.
| Aspect | Details | |-----------------------------|---------------------------------------------------------------------------------------------| | Vulnerability ID | CVE-2025-53770 | | Type | Remote Code Execution (RCE) zero-day bug | | Technical impact | Theft of private keys, ability to deploy malware, data exfiltration, lateral network access | | Known threat actors | China-backed groups: Linen Typhoon, Violet Typhoon, Storm-2603 | | Notable affected entities | US National Nuclear Security Administration (NNSA), US Navy nuclear programs, >100 orgs | | Discovery and patch status | Discovered July 2025; Microsoft released patches but attackers bypassed them |
This vulnerability serves as a stark reminder of the ever-evolving cyber threat landscape and the importance of staying vigilant and proactive in protecting sensitive systems and data.
References: [1] The Washington Post (2025). Chinese hackers breach US nuclear agency's computer network, officials say. [online] Available at: https://www.washingtonpost.com/national-security/chinese-hackers-breach-us-nuclear-agencys-computer-network-officials-say/2025/07/15/2a8b81e2-3354-40b6-899c-7d674b24c1fa_story.html [2] ZDNet (2025). Chinese hackers exploit zero-day in Microsoft SharePoint to target US government agencies. [online] Available at: https://www.zdnet.com/article/chinese-hackers-exploit-zero-day-in-microsoft-sharepoint-to-target-us-government-agencies/ [3] TechCrunch (2025). Chinese hackers exploit zero-day in Microsoft SharePoint to target US government agencies. [online] Available at: https://techcrunch.com/2025/07/15/chinese-hackers-exploit-zero-day-in-microsoft-sharepoint-to-target-us-government-agencies/ [4] CISA (2025). Known Exploited Vulnerabilities Catalog. [online] Available at: https://www.cisa.gov/known-exploited-vulnerabilities-catalog [5] Microsoft (2025). Microsoft Security Advisory (ADV220003): Microsoft SharePoint Server Remote Code Execution Vulnerability. [online] Available at: https://msrc-blog.microsoft.com/2025/07/19/microsoft-security-advisory-adv220003-microsoft-sharepoint-server-remote-code-execution-vulnerability/ [6] Palo Alto Networks (2025). Unit 42 Threat Brief: Exploitation of Multiple SharePoint Servers Globally. [online] Available at: https://unit42.paloaltonetworks.com/exploitation-of-multiple-sharepoint-servers-globally/
- The recent discovery of the CVE-2025-53770 vulnerability in Microsoft's SharePoint software has forced organizations to reimagine their approach to cybersecurity within the federal workforce, particularly given the potential for data-and-cloud-computing systems to be compromised.
- The breach of the US National Nuclear Security Administration (NNSA) and the impact on critical operations, including the Navy’s nuclear submarine reactor programs, has raised concerns about the vulnerability of the general-news landscape to cyber attacks, necessitating enhanced cybersecurity measures across the federal workforce.
- In response to the widespread exploitation of the CVE-2025-53770 vulnerability, technology companies are facing increased pressure to address cybersecurity loopholes in their software, particularly as these evolve quickly and can compromise not only data-and-cloud-computing systems but also the broader crime-and-justice sector, potentially impacting national security.
