A newly discovered zero-day vulnerability in Microsoft SharePoint Server has been exploited in a widespread cyberattack affecting over 50 organisations—including the U.S. National Nuclear Security Administration (NNSA) and Department of Energy. (Windows Central)

Security researchers report that the exploit—referred to as “ToolShell” (CVE‑2025‑53770 and CVE‑2025‑53771)—has compromised around 100 organisations worldwide, with victims spanning government agencies, universities, energy firms and telecom companies. (Reuters)

How the Attack Works

The attackers exploited a deserialization flaw in on-premises SharePoint Server, enabling unauthenticated remote code execution. Using stolen cryptographic machine keys, they sustained persistent access and moved laterally within networks. (The Hacker News)

Microsoft has confirmed the vulnerability and released out-of-band patches, while urging affected organisations to implement defender tools, enable AMSI integration, or isolate servers if patching is delayed. (WSJ)

Attribution and Threat Profile

Microsoft and federal investigators have attributed the breaches to Chinese-affiliated groups—including Linen Typhoon, Violet Typhoon and Storm‑2603. These groups targeted on-premises SharePoint servers as part of a coordinated espionage operation. (Politico)

Cloud versions of SharePoint (e.g. Microsoft 365 online) are unaffected. Experts warn that organisations must assume compromise has occurred and respond comprehensively—not just patch. (Reuters)

Broader Breach Landscape

Meanwhile, Allianz Life Insurance confirmed a separate July 16 breach of a third-party CRM system, impacting nearly 1.4 million U.S. customers via a social engineering attack. (AP News)

Additionally, the women-focused Tea dating app disclosed the theft of 72,000 user photos—including verified selfie IDs. The breach affected accounts created before February 2024. (Reuters)

Response and Protective Measures

Federal agencies including CISA and DOD Cyber Defense Command are coordinating responses with Microsoft. Organisations are advised to conduct forensic reviews, revoke compromised credentials, and update incident response plans accordingly. (WSJ)

Experts emphasise zero-trust architectures, multi-factor authentication, and proactive threat hunting as central to defending against persistent groups targeting widely used enterprise platforms. (The Hacker News)

What This Means for Organisations

Organisations using on‑premises SharePoint servers must act immediately: apply patches, use endpoint detection tools, and assume breach until confirmed otherwise.

Cloud-first environments remain shielded—but this incident underscores the risks inherent in legacy infrastructure and the critical importance of rapid vulnerability response and threat oversight.

Sources: Windows Central, Reuters, The Hacker News, WSJ, Politico, AP News