Article Details

Microsoft SharePoint victim count hits 400+ orgs in ongoing attacks. US DOE among breached government agencies. More than 400 organizations have been compromised in the Microsoft SharePoint attack, according to Eye Security, which initially sounded the alarm on the mass exploitation last Friday, even before Redmond confirmed the critical vulnerabilities. The Dutch security company on Wednesday reported four waves of attacks beginning July 17 and continuing the following two days, with "multiple waves" beginning July 21. The US Energy Department - including its National Nuclear Security Administration (NNSA), which maintains America's nuclear weapons - was among those hit. A DOE spokesperson confirmed the breach to The Register:  On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy, including NNSA. The Department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. All impacted DOE systems are being restored. NNSA is taking the appropriate action to mitigate risk and transition to other offerings as appropriate. In addition to the DOE, other government agencies and critical sectors, including telecommunications and software, have been hit in the ongoing attacks, with a "major Western government" being among the first victims on July 7, according to Check Point Research. The security holes affect SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. The software giant first confirmed the exploits late Saturday, saying it was "aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update." It then released fixed versions for all three by late Monday. The software fixes address remote code execution bug CVE-2025-53770, which is related to the previously disclosed vulnerability CVE-2025-49704, and CVE-2025-53771, a security bypass flaw for the previously disclosed CVE-2025-49706. Chaining the two allows miscreants to bypass authentication and execute malicious code over the network. A proof-of-concept showing how to chain the two together was released on GitHub. Both Google and Microsoft have blamed Chinese cyberspies and data thieves for the digital intrusions, with Redmond warning yesterday: "Additional actors may use these exploits." Microsoft did not immediately respond to The Register's questions, including about how many organizations have been compromised. We will update this story if and when we receive a response.