Nuclear weapons overseeing body of the US experiences security breach through Microsoft SharePoint intrusion.

Nuclear weapons overseeing body of the US experiences security breach through Microsoft SharePoint intrusion.

The ongoing "ToolShell" vulnerability, identified as CVE-2025-53770 and CVE-2025-53771, is currently an actively exploited zero-day flaw affecting on-premises SharePoint Server environments worldwide. This toolchain enables remote code execution via unsafe deserialization in SharePoint, potentially granting attackers unauthorized access to enterprise servers[1][2][4].

First observed in the wild on July 17, 2025, before Microsoft's official advisory on July 19, the exploit has been detected in multiple attack clusters, indicating ongoing active campaigns targeting vulnerable SharePoint installations[1][4]. Microsoft released emergency patches on July 8, 2025, for SharePoint Subscription Edition and SharePoint Server 2019, with updates scheduled for 2016[1][2]. Despite patches, exploitation has rapidly followed, with public proof-of-concept code leaking mid-July[1][2][4].

Notably, Microsoft SharePoint Online (cloud SaaS version) in Microsoft 365 is not impacted. However, self-managed SharePoint servers deployed on cloud platforms like Azure, AWS, or GCP remain vulnerable. Around 9% of cloud environments reportedly run vulnerable SharePoint versions, amplifying the risk[2].

The Cybersecurity and Infrastructure Security Agency (CISA) added ToolShell (CVE-2025-53770) to its Known Exploited Vulnerabilities Catalog on July 20, 2025, reflecting significant concerns for federal agencies and the broader US federal enterprise[3]. This triggers mandatory remediation requirements under Binding Operational Directive 22-01 for Federal Civilian Executive Branch agencies, including large government entities.

Regarding the National Nuclear Security Administration (NNSA) and the Department of Energy, while specific public disclosures do not explicitly mention confirmed compromises or incidents, these agencies fall under federal enterprise scope strongly encouraged by CISA for urgent mitigation due to their critical national security roles[3]. Given the high value and sensitivity of their systems, compromised SharePoint servers pose a significant risk vector.

Immediate patching of all on-premises SharePoint servers to the latest security updates is strongly recommended. Federal agencies including NNSA and Energy Department entities are expected to prioritize remediation according to CISA directives to reduce the exposure to ongoing exploitation[3].

Microsoft has released security updates to all supported versions of SharePoint, and the company also shared guidance for customers using SharePoint Server. While the full extent of the damage is not clear at this time, more than 50 organizations have been affected by these attacks[5]. No sensitive or classified information is known to have been compromised in the attack, according to a source with knowledge of the situation. The actors, Linen Typhoon and Violet Typhoon, targeted internet-facing SharePoint servers.

The Energy Department was minimally impacted by the attack due to its widespread use of the Microsoft M365 cloud and robust cybersecurity systems. The NNSA, a semiautonomous arm of the Energy Department, is one of the affected organizations. Lotem Finkelstein, Director of Threat Intelligence at Check Point Research, called the attacks "an urgent and active threat."

[1] Microsoft Security Response Centre - Microsoft SharePoint Server Security Advisory (ADV220008) [2] ZDNet - Microsoft issues emergency patches for SharePoint zero-day vulnerability [3] Cybersecurity and Infrastructure Security Agency (CISA) - Known Exploited Vulnerabilities Catalog [4] Check Point Research - ToolShell: A new SharePoint zero-day vulnerability under active attacks [5] Bloomberg - Microsoft SharePoint Vulnerability Under Active Attack, Affecting Thousands of Organizations, Report Says

1. The ToolShell vulnerability, currently exploited in SharePoint Server environments, allows remote code execution through unsafe deserialization.
2. Despite Microsoft releasing emergency patches on July 8, 2025, for SharePoint Subscription Edition and SharePoint Server 2019, exploitation has persisted.
3. Public proof-of-concept code for this vulnerability was leaked mid-July, rapidizing the rate of exploitation.
4. Self-managed SharePoint servers deployed on cloud platforms like Azure, AWS, or GCP remain vulnerable, with reportedly 9% of cloud environments running vulnerable SharePoint versions.
5. The Cybersecurity and Infrastructure Security Agency (CISA) added ToolShell to its Known Exploited Vulnerabilities Catalog, triggering mandatory remediation requirements for federal agencies.
6. Agencies like the National Nuclear Security Administration (NNSA) and the Department of Energy are strongly encouraged for urgent mitigation due to their critical national security roles.
7. Federal agencies and organizations affected by these attacks are advised to prioritize the patching of on-premises SharePoint servers to the latest security updates, as the full extent of the damage remains unclear.

Read also: