Global SharePoint Zero-Day Fallout: US Nuclear Agency Breached Amid 400+ Victims

A coordinated cyberattack exploiting previously unknown vulnerabilities in Microsoft SharePoint has compromised over 400 organizations worldwide, with the US National Nuclear Security Administration (NNSA) emerging as one of the highest-profile victims. The attacks, which began in mid-July 2025, leveraged three zero-day flaws to gain unauthorized access to sensitive documents and system credentials across government agencies and private sector entities.

Microsoft's security team confirmed that threat actors, believed to be Chinese state-sponsored groups according to attribution analysis, exploited a vulnerability chain including one dubbed 'ToolShell' (CVE-2025-32891) that allowed remote code execution through specially crafted API requests. Two additional flaws in SharePoint's authentication mechanisms (CVE-2025-32892 and CVE-2025-32893) were used to escalate privileges and maintain persistence.

The NNSA breach, while not compromising nuclear weapon systems directly, exposed sensitive administrative documents and personnel records. Security analysts note the attacks followed a pattern of targeting SharePoint instances that hadn't implemented multi-factor authentication, with compromised servers then used to pivot into connected cloud resources.

Microsoft released emergency patches on July 22, though security teams warn that many organizations remain vulnerable due to the manual update requirements for SharePoint servers. The company's Threat Intelligence team observed the attackers exfiltrating data including email archives, contract documents, and credential hashes from victim networks.

Cybersecurity experts recommend:

The scale of the attack underscores growing concerns about enterprise collaboration platforms becoming high-value targets for advanced persistent threats, particularly when nation-state actors are involved.