Cybercriminals exploited critical vulnerabilities in Microsoft SharePoint servers to breach multiple U.S. federal agencies, including the Department of Homeland Security, Health and Human Services, and the National Institutes of Health, according to federal cybersecurity officials.
The sophisticated attack compromised SharePoint file sharing platforms through remote access capabilities, with the Defense Intelligence Agency experiencing several hours of service downtime during the incident.
The vulnerabilities, designated CVE-2025-49706 and CVE-2025-49704, affected on-premises SharePoint servers and facilitated unauthenticated remote code execution. Attackers bypassed security controls through internet-facing, unpatched SharePoint instances, deploying ransomware while raising concerns about sensitive data exfiltration. This type of attack falls into the category of zero-day exploits that target previously unknown system vulnerabilities.
Federal investigators confirmed that approximately 100 global organizations were compromised, with thousands more potentially vulnerable to similar attacks.
Chinese nation-state actors Linen Typhoon and Violet Typhoon have been identified as the primary exploiters of these security flaws. Storm-2603, another China-linked threat group, conducted ransomware deployments using the same vulnerabilities.
Attribution analysis relied on observed tactics, techniques, and procedures consistent with previous Chinese cyber operations, though the Chinese embassy declined to comment on these accusations. Cybersecurity analysts warn that other threat actors beyond Chinese state groups are exploiting identical vulnerabilities.
The White House and Cybersecurity and Infrastructure Security Agency led immediate response efforts, launching a coordinated national incident response and distributing actionable security alerts. Investigations showed no evidence of data exfiltration from the affected federal agencies despite the extensive breach.
Microsoft released urgent patches targeting SharePoint Server 2016, 2019, and Subscription Edition, accompanied by thorough security guidance. Law enforcement and cybersecurity agencies continue investigating potential lateral movement and evaluating the full scope of the breach’s impact.
Microsoft’s mitigation recommendations include applying security updates, rotating ASP.NET machine keys, restarting Internet Information Services, and improving antimalware protections. The company particularly advised customers to activate Antimalware Scan Interface in Full Mode and update endpoint protection solutions. The threat actors deployed web shells through crafted scripts to maintain persistent access to compromised systems.
Federal agencies coordinated patch deployment efforts while implementing improved network monitoring to prevent additional exploits. Industry experts highlight the critical urgency for organizations to patch and secure their on-premises SharePoint deployments against these actively exploited vulnerabilities.
