Chinese State Hackers Exploit SharePoint Zero-Day in Global Cyberattack Wave

A widespread cyberattack campaign exploiting a previously unknown vulnerability in Microsoft SharePoint has breached multiple high-profile targets, including agencies linked to the U.S. nuclear weapons program. Microsoft's Threat Intelligence team has attributed the attacks with high confidence to Chinese state-sponsored hacking groups, citing distinctive tradecraft and infrastructure patterns.

The zero-day vulnerability, tracked as CVE-2025-XXXXX, allows remote code execution through specially crafted requests to SharePoint servers. Attackers leveraged this flaw to establish persistent access in target networks before moving laterally to sensitive systems. The campaign appears focused on intelligence gathering, with victims spanning government agencies, defense contractors, and critical infrastructure operators across North America, Europe, and Asia-Pacific regions.

Microsoft released an emergency out-of-band security update after detecting active exploitation. The company's advisory notes that successful exploitation requires no authentication, making unpatched systems extremely vulnerable. Forensic evidence suggests the attackers maintained network access for weeks in some cases, using sophisticated techniques to evade detection while exfiltrating data.

This incident highlights growing concerns about nation-state actors targeting enterprise collaboration platforms as attack vectors. SharePoint's central role in document management and internal communications makes it a high-value target for cyberespionage operations. Security analysts warn that similar vulnerabilities in other collaboration tools may face increased scrutiny from threat actors.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to patch systems immediately. Private sector organizations handling sensitive government contracts or critical infrastructure operations should prioritize remediation given the attack's geopolitical context and demonstrated impact.