The U.S. National Nuclear Security Administration (NNSA), the agency responsible for overseeing America’s nuclear weapons stockpile, was among several government institutions recently targeted in a widespread cyberattack that exploited critical vulnerabilities in Microsoft’s on-premises SharePoint software.
The breach, which officials have linked to China-based state-sponsored threat actors, was part of a broader campaign now being referred to as the “Microsoft SharePoint Frenzy.” The coordinated operation exploited newly discovered zero-day vulnerabilities to infiltrate sensitive — though reportedly non-classified — government systems.
Details of the Exploit
According to cybersecurity sources, the attackers leveraged two previously unknown vulnerabilities — now tracked as CVE-2025-49704 and CVE-2025-49706 — within Microsoft’s on-premises SharePoint server infrastructure. These flaws enabled unauthorized access and, in some cases, allowed the extraction of credentials and other sensitive information.
The impact was not limited to federal systems. In addition to the Department of Energy (DOE), which oversees the NNSA, the Department of Education, the Florida Department of Revenue, and the Rhode Island General Assembly were also affected. However, officials confirmed that no classified data or nuclear weapons information was compromised, as segmented networks and strict internal controls prevented lateral movement into secured environments.
“The cloud-based version of SharePoint remains unaffected,” Microsoft stated in a disclosure. “Only on-premises deployments are vulnerable. Organizations are strongly encouraged to apply available patches immediately.”
Attribution and Response
Microsoft threat intelligence teams attributed the intrusions to multiple Chinese state-aligned cyber groups, including Linen Typhoon, Violet Typhoon, and Storm-2603. These advanced persistent threat (APT) actors have a documented history of targeting U.S. critical infrastructure and national security systems.
While the Chinese government has denied involvement, U.S. intelligence agencies maintain “high confidence” in the attribution, citing the sophisticated nature of the campaign and its alignment with strategic espionage goals.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on July 21, requiring all federal agencies using vulnerable SharePoint systems to apply mitigation measures no later than July 23. Agencies were also ordered to conduct forensic audits and report any signs of compromise.
Limited Impact at NNSA
Officials at the Department of Energy reassured lawmakers and the public that robust cybersecurity protocols and the limited use of on-premises software reduced the scope of the intrusion. Systems housing classified and nuclear-sensitive data are reportedly isolated from business networks and were not affected by the breach.
“This incident underscores the importance of segmentation, rapid patch management, and modernizing legacy IT environments,” said a senior DOE official. “The response was swift, and no operational disruption has occurred.”
