TLDR
- Microsoft’s initial security patch for a critical SharePoint Server vulnerability failed to fully fix the flaw, allowing Chinese hackers to exploit it
- Three China-linked hacking groups compromised about 100 organizations over the weekend, including the U.S. National Nuclear Security Administration
- The vulnerability was first discovered at a Berlin hacking competition in May, where a researcher won $100,000 for finding the “ToolShell” exploit
- More than 8,000 SharePoint servers worldwide remain potentially vulnerable to attack
- Microsoft has since released additional patches that the company says resolve the security issue
Microsoft faces a cybersecurity crisis after Chinese hackers exploited a SharePoint Server vulnerability that the tech giant failed to properly patch. The company’s stock declined 0.94% following news of the widespread attacks.
*US NUCLEAR WEAPONS AGENCY BREACHED IN MICROSOFT SHAREPOINT HACK
— zerohedge (@zerohedge) July 23, 2025
The security flaw was first identified in May at a Berlin hacking competition organized by Trend Micro. A researcher from Viettel’s cybersecurity division discovered the vulnerability, dubbed “ToolShell,” and won $100,000 for the finding.
Microsoft released what it believed was a fix on July 8, listing the bug as a critical vulnerability. However, the initial patch did not fully resolve the security weakness. This opened the door for hackers to launch attacks against unpatched systems just days later.
Over the weekend, cybersecurity firms detected a surge in malicious activity targeting SharePoint servers. Microsoft confirmed that three China-linked hacking groups were behind the attacks, compromising approximately 100 organizations worldwide.
The Hacking Groups Behind the Attacks
The attackers include two well-known Chinese government-linked groups. Linen Typhoon, also called APT27, has operated since 2012 and focuses on stealing intellectual property from government and defense organizations. Earlier this year, federal prosecutors indicted two Chinese nationals with alleged ties to this group.
Violet Typhoon, known as APT31, specializes in espionage targeting higher education, media, and finance sectors. Seven members of this group were indicted last year on hacking and wire fraud charges.
The third group, Storm-2603, is believed to be China-based but has not been linked to other known threat organizations. Microsoft warned that with the rapid adoption of these exploits, threat actors will likely continue targeting unpatched SharePoint systems.
Scale of the Vulnerability
The potential scope of the attack is massive. Data from search engine Shodan shows that hackers could theoretically compromise more than 8,000 servers online. The Shadowserver Foundation estimates the number at over 9,000 vulnerable systems.
These servers belong to auditors, banks, healthcare companies, major industrial firms, and government bodies. Most affected systems are located in the United States and Germany.
The U.S. National Nuclear Security Administration was among the agencies breached, according to Bloomberg News. However, no sensitive or classified information is believed to have been compromised.
German authorities reported finding no compromised SharePoint servers in government networks, despite some being vulnerable to the ToolShell attack. The country’s federal office for information security conducted scans following the disclosure.
Microsoft has urged customers to apply the latest security patches immediately. The company released additional updates after confirming its initial fix was inadequate. A Microsoft spokesperson confirmed that the newer patches resolve the security issue.
SharePoint Server is the on-premises version of Microsoft’s collaboration platform, separate from the cloud-based SharePoint Online included in Microsoft 365. Organizations host SharePoint Server on their own infrastructure, making them responsible for applying security updates.
Cybersecurity firms warned that threat actors developed exploits that appear to bypass the original patches. British firm Sophos noted an influx of malicious activity targeting SharePoint servers about 10 days after Microsoft’s initial security update.
The Chinese embassy in Washington denied involvement in the hacking operations. In an emailed statement, officials said China opposed all forms of cyberattacks and criticized “smearing others without solid evidence.”
Trend Micro, which organized the hacking competition where the vulnerability was discovered, said patches occasionally fail. The company noted this has happened with SharePoint before and emphasized that participating vendors are responsible for patching flaws in an effective and timely manner.
Microsoft assessed with high confidence that threat actors will continue integrating these exploits into attacks against unpatched systems. The company’s threat intelligence team continues monitoring the situation as more organizations potentially face compromise.
Stay Ahead of the Market with Benzinga Pro!
Want to trade like a pro? Benzinga Pro gives you the edge you need in today's fast-paced markets. Get real-time news, exclusive insights, and powerful tools trusted by professional traders:
- Breaking market-moving stories before they hit mainstream media
- Live audio squawk for hands-free market updates
- Advanced stock scanner to spot promising trades
- Expert trade ideas and on-demand support
