US agency overseeing nuclear weapons breached in Microsoft SharePoint attack
The National Nuclear Security Administration is one of over 50 organizations affected by attacks centered around zero-day SharePoint vulnerabilities.
This is a developing story, and we will update it with more information as it becomes available.
The Microsoft SharePoint vulnerability known as "ToolShell" is the center of global attacks across United States federal and state agencies. Universities, energy companies, and an Asian telecommunications company have also been attacked.
In total, more than 50 organizations have been affected by a pair of recently discovered zero-day vulnerabilities. Among those organizations are the National Nuclear Security Administration (NNSA) and the Energy Department.
The NNSA is a semiautonomous arm of the Energy Department. Among other broad-ranging responsibilities, the NNSA produces and dismantles nuclear arms. The agency is also involved in counterterrorism efforts and the transportation of nuclear weapons.
According to a person with knowledge of the situation who spoke with Bloomberg, no sensitive or classified information is known to have been compromised in the attack.
The Energy Department shared the following statement with Bloomberg:
“On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy. The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. All impacted systems are being restored.”
Microsoft shared additional details about the attack in a security blog post. The tech giant confirmed that it observed two named Chinese nation-state actors exploiting the SharePoint vulnerabilities.
All the latest news, reviews, and guides for Windows and Xbox diehards.
The actors, Linen Typhoon and Violet Typhoon, targeted internet-facing SharePoint servers.
The vulnerabilities, labeled CVE-2025-53770 and CVE-2025-53771, affect on-premises servers, meaning cloud-based servers are unaffected.
Microsoft has issued out-of-band security updates to address the vulnerabilities.
Bloomberg noted that the full extent of the damage is not clear at this time.
Lotem Finkelstein, Director of Threat Intelligence at Check Point Research, called the attacks "an urgent and active threat," noting that the vulnerabilities place thousands of organizations at risk.
Microsoft has released security updates to all supported versions of SharePoint, but those updates now need to be applied. The tech giant also shared guidance for customers using SharePoint Server.

Sean Endicott is a News Writer at Windows Central, where he covers Windows 11, Surface hardware, Microsoft 365, AI, apps, and the broader PC ecosystem. Since joining the site in 2017, he has written well over a thousand articles across the Microsoft landscape, covering breaking news, analysis, and feature reporting.
He writes Windows Wrap, a weekly column covering the biggest stories in Windows and the PC industry, and what they mean for the platform going forward.
Before joining Windows Central full-time, Sean worked in journalism and media production after earning a First Class degree in Broadcast Journalism from Nottingham Trent University. Outside of tech, he is an award-winning American football coach based in Nottingham, England, and was named BAFCA Youth Coach of the Year in 2024.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
