US agency overseeing nuclear weapons breached in Microsoft SharePoint attack

News
By published

The National Nuclear Security Administration is one of over 50 organizations affected by attacks centered around zero-day SharePoint vulnerabilities.

A binary code and Microsoft logo are seen in this multiple exposure illustration photo.
Microsoft confirmed SharePoint vulnerabilities were exploited in recent cyberattacks. (Image credit: Getty Images | NurPhoto)
Disclaimer

This is a developing story, and we will update it with more information as it becomes available.

The Microsoft SharePoint vulnerability known as "ToolShell" is the center of global attacks across United States federal and state agencies. Universities, energy companies, and an Asian telecommunications company have also been attacked.

In total, more than 50 organizations have been affected by a pair of recently discovered zero-day vulnerabilities. Among those organizations are the National Nuclear Security Administration (NNSA) and the Energy Department.

The NNSA is a semiautonomous arm of the Energy Department. Among other broad-ranging responsibilities, the NNSA produces and dismantles nuclear arms. The agency is also involved in counterterrorism efforts and the transportation of nuclear weapons.

According to a person with knowledge of the situation who spoke with Bloomberg, no sensitive or classified information is known to have been compromised in the attack.

The Energy Department shared the following statement with Bloomberg:

“On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy. The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. All impacted systems are being restored.”

Microsoft shared additional details about the attack in a security blog post. The tech giant confirmed that it observed two named Chinese nation-state actors exploiting the SharePoint vulnerabilities.

The actors, Linen Typhoon and Violet Typhoon, targeted internet-facing SharePoint servers.

The vulnerabilities, labeled CVE-2025-53770 and CVE-2025-53771, affect on-premises servers, meaning cloud-based servers are unaffected.

Microsoft has issued out-of-band security updates to address the vulnerabilities.

Bloomberg noted that the full extent of the damage is not clear at this time.

Lotem Finkelstein, Director of Threat Intelligence at Check Point Research, called the attacks "an urgent and active threat," noting that the vulnerabilities place thousands of organizations at risk.

Microsoft has released security updates to all supported versions of SharePoint, but those updates now need to be applied. The tech giant also shared guidance for customers using SharePoint Server.

TOPICS
Sean Endicott
Sean Endicott
News Writer and apps editor

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 930, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.