A widespread cyber-espionage campaign exploiting critical vulnerabilities in Microsoft SharePoint servers has compromised at least 396 organizations globally, with the United States emerging as the primary target. The attacks, linked to state-sponsored Chinese hacking groups, have sent shockwaves through government agencies, critical infrastructure, and private enterprises worldwide, underscoring the escalating threat to on-premises software systems.
Initial reports from Dutch cybersecurity firm Eye Security, which first identified the ongoing attacks, indicated around 100 victims. However, follow-up scans have revealed the true scale of the breach, with the number of compromised systems nearly quadrupling in just over a week. Researchers warn that the actual figure could be significantly higher, as not all attack methods leave detectable traces.
The sophisticated campaign leverages unpatched zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in on-premises SharePoint Server versions (2016, 2019, and Subscription Edition), allowing attackers to gain full control of servers, steal cryptographic keys, install backdoors, and maintain persistent access even after patching. Microsoft has explicitly stated that its cloud-based SharePoint Online service is not affected by these particular vulnerabilities.
Among the high-profile victims in the US are federal agencies, including the National Nuclear Security Administration (NNSA) and departments of Energy, Homeland Security, and Health and Human Services. While officials have stated that sensitive or classified information was not reportedly compromised in the NNSA breach, the incident highlights the severe risk posed by these vulnerabilities to national security. Other affected entities include the US Education Department, Florida’s Department of Revenue, and the Rhode Island General Assembly.
Microsoft has attributed a significant portion of the hacking activity to three China-linked groups: Linen Typhoon, Violet Typhoon, and Storm-2603, noting their focus on intellectual property theft, espionage, and, more recently, ransomware deployment. The latest attacks involve the deployment of “Warlock” ransomware, aimed at paralyzing networks and extorting cryptocurrency payments.
In response to the escalating crisis, Microsoft has released emergency patches and urged all affected organizations to apply them immediately. The Cybersecurity and Infrastructure Security Agency (CISA) has also added the vulnerabilities to its Known Exploited Vulnerabilities list, mandating federal agencies to remediate their systems without delay. Beyond patching, experts emphasize the crucial need for organizations to rotate all compromised cryptographic keys, enable Antimalware Scan Interface (AMSI) integration, and conduct thorough threat hunting to detect and eradicate any persistent access.
The incident serves as a stark reminder for organizations to re-evaluate their risk calculus regarding on-premises solutions and consider transitioning to cloud-based services where appropriate, or to implement robust cybersecurity measures for their self-hosted environments. The global nature and severity of this attack underscore the continuous need for vigilance and proactive security postures in an increasingly complex cyber landscape.
