A U.S. nuclear agency was among the victims of the SharePoint vulnerability chain, which was exploited to compromise over 54 organizations across the United States, Europe, and Asia.
The National Nuclear Security Administration (NNSA) was breached by hackers exploiting two zero-day vulnerabilities in SharePoint Servers, CVE-2025-53770 and CVE-2025-53771, dubbed ToolShell.
Under the Department of Energy, NNSA designs, dismantles, and maintains the country’s nuclear warheads by ensuring they are ready for deployment and do not accidentally detonate. It also responds to nuclear emergencies across the United States and abroad upon request.
The security flaw only affects on-premises SharePoint servers, but not those housed within the Microsoft 365 tenant. Nevertheless, it highlights the severe cyber risk posed by widely used enterprise software.
Nuclear agency NNSA compromised via ToolShell SharePoint vulnerability chain
An NNSA spokesperson has confirmed that the SharePoint vulnerability chain had affected the Energy Department, and that the nuclear agency was among the impacted branches.
“On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy,” the spokesperson told Bloomberg. “The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems.”
They added that only a limited number of systems were impacted, and that the nuclear agency was taking immediate measures to mitigate the risk and migrate to other safer offerings.
However, quoting anonymous sources familiar with the matter, the Washington Post reported that the breach did not compromise any classified information.
More government agencies breached via ToolShell SharePoint vulnerability chain
Apart from the nuclear agency, the National Institutes of Health (NIH) was also affected by the zero-day SharePoint vulnerability chain exploit.
Other government agencies breached via ToolShell zero-days include the US Department of Education, Florida’s Department of Revenue, and the Rhode Island General Assembly.
European and Middle Eastern governments were also compromised via the ToolShell SharePoint vulnerability, suggesting a global cyberespionage campaign.
According to the Dutch cybersecurity firm Eye Security, over 400 SharePoint servers and more than 148 organizations have been compromised via the ToolShell SharePoint vulnerability.
Chinese threat actors attributed to the SharePoint vulnerability chain exploit
Chinese state-linked threat actors have been attributed to some of the SharePoint vulnerability exploits that target government agencies, universities, and other organizations.
Microsoft identified Chinese-backed advanced persistent threat actors (APTs) Linen Typhoon and Violet Typhoon, and another potentially state-sponsored hacker Storm-2603, exploiting the SharePoint vulnerability chain.
“Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities targeting internet-facing SharePoint servers,” the tech colossus stated. “In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing.”
This is hardly the first time the U.S. nuclear agency has been breached by state-linked threat actors from an adversarial nation. In 2019, Russian state-sponsored threat actor APT29, linked to the Russian Foreign Intelligence Service Bureau (SVR), breached the nuclear agency via trojanized SolarWinds updates.
Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) has added the SharePoint vulnerability CVE-2025-53770 to the Known Exploited Vulnerabilities (KEV) Catalog and directed federal organizations to apply recently released emergency security updates immediately.
“Microsoft and CISA tie the intrusion to a SharePoint zero‑day chain: CVE-2025-49704 (remote code execution) and CVE-2025-49706 (spoofing),” noted Nic Adams, Co-Founder and CEO, 0rcus. “Subsequent patch bypasses—CVE-2025-53770 and CVE-2025-53771—forced an additional emergency update.”
