Prime Highlights
- Over 400 organizations were plagued with intense zero-day attacks on on-premises Microsoft SharePoint boxes.
- US nuclear agency among victims; state-sponsored Chinese attackers take credit for the attack.
Key Fact
- The vulnerabilities allowed remote code execution and authentication bypass without credentials.
- The attacks persist even after Microsoft released out-of-band patches.
Key Background
In July 2025, a colossal cyber attack compromised over 400 global entities in its footprint because of vulnerabilities in on-premises Microsoft SharePoint servers. Zero-day vulnerabilities recently categorized as CVE‑2025‑53770 and CVE‑2025‑53771 enabled unauthenticated hackers to execute remote code, perform privilege escalation, and establish backdoors for future exploitation.
The attack was discovered by a Dutch cyber security firm, which identified four waves of exploitation. From an early estimate of 60 organizations, the attack had spread to more than 400, with victims cutting across government agencies, healthcare, finance, telecom, education, and energy. The United States Department of Energy and its National Nuclear Security Administration were directly hit. Even though the department reported that damage was minimal and systems were being restored, the attack did come with some earnest national security implications.
Microsoft created the kind of vulnerabilities and published emergency out-of-band patches. SharePoint Server 2016 shares were about to happen, and numerous organizations were vulnerable in between. The company advised system administrators in plain terms to patch instantly, reset cryptographic keys, activate antivirus protections, and quarantine vulnerable servers from public networks. Experts felt that patching might not be sufficient if attackers retain valid keys for recovering access.
The intrusions had been attributed to Chinese state-sponsored threat actors, some of whom took nicknames like Linen Typhoon, Violet Typhoon, and Storm-2603. Microsoft and other security firms concluded that the motive for the attacks had most likely been espionage and not disruption. The large-scale targeting across multiple continents and industries, however, imposed the growing risk to organizations relying on legacy, on-premises infrastructure with lax security tools.
This cyber attack underscores the imperative for companies to migrate to safer cloud systems or re-engineer their security infrastructures. The attack also represents a broader trend toward attacks on broadly deployed mission-critical software platforms like SharePoint in public and private sectors. With the threat environment only becoming more clever, active cyber defense and punctual patching are more critical than ever.
