Chinese hackers breached critical U.S. government agencies by exploiting Microsoft SharePoint flaws, exposing a major gap in national cybersecurity as experts warn the threat may persist even after emergency patches.
Story Summary
- Over 400 Microsoft SharePoint servers, including those in sensitive government agencies, were compromised through zero-day vulnerabilities exploited by Chinese state-sponsored groups.
- Microsoft rushed emergency patches, but attackers had already stolen credentials, allowing ongoing access even after patching.
- Security researchers and federal agencies urge immediate patching and credential resets to mitigate further damage.
- The incident highlights persistent risks in on-premises infrastructure and raises new concerns about foreign cyber-espionage targeting American institutions.
Chinese-Linked Exploit Breaches Government Networks
Hackers associated with Chinese state-sponsored groups exploited two previously unknown vulnerabilities—CVE-2025-53770 and CVE-2025-53771—in Microsoft SharePoint Server, successfully breaching over 400 on-premises servers worldwide. Among the victims were numerous U.S. government agencies, universities, and private sector organizations responsible for critical infrastructure. The attack, which began in mid-July 2025, granted attackers unauthenticated remote access, allowed them to steal credentials, and enabled long-term persistence within affected networks. Security researchers attribute the campaign to multiple Chinese advanced persistent threat (APT) groups, including Linen Typhoon and Violet Typhoon. The scale and speed of the attack have been described as unprecedented, with nation-state actors rapidly weaponizing newly published proof-of-concept code to target American assets.
Cybersecurity firms and federal agencies confirm that the attackers leveraged both new and previously patched flaws in SharePoint, demonstrating a sophisticated understanding of enterprise software vulnerabilities. The campaign began almost immediately after proof-of-concept code was publicly released in early July, showing just how quickly advanced threat actors can transition from research to real-world exploitation. By July 19, Microsoft had released emergency patches and advisories, but incident response teams continued to discover compromised systems well into August. The attackers’ tactics included chaining vulnerabilities for maximum impact and stealing authentication tokens, which could allow them to maintain access even after organizations applied Microsoft’s patches.
Emergency Response and Ongoing Threats
Microsoft, national cybersecurity agencies, and leading security vendors have urged all organizations running on-premises SharePoint servers to apply the emergency patches immediately and perform comprehensive credential resets. Experts warn that patching alone may not be sufficient if attackers have already stolen passwords or authentication tokens, which could let them bypass security controls and re-enter patched systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with its counterparts in allied nations, have issued multiple advisories underscoring the urgency of incident response, forensic investigation, and continuous monitoring for unusual activity on affected networks.
Security analysts highlight that the attack’s impact extends beyond immediate data theft and operational disruption. The compromise of government and critical infrastructure systems by foreign adversaries poses direct risks to national security, economic stability, and public trust in American institutions. The rapid, coordinated action by Microsoft and security partners prevented further escalation, but many organizations remain vulnerable due to slow patch adoption and the complexity of on-premises environments.
Lessons for American Security and Policy
Industry experts, including Bruce Schneier, describe the incident as a “security mess” and a significant wake-up call for American IT leaders. The attack reveals the vulnerabilities inherent in maintaining legacy, on-premises infrastructure without aggressive patch management and threat detection. Security professionals argue that this breach demonstrates the growing sophistication of foreign adversaries—particularly China—in targeting U.S. government assets for espionage and disruption. The scale of the attack, coupled with the persistence techniques used by the adversaries, underscores the urgent need for a renewed focus on cybersecurity across federal, state, and local agencies.
For conservative Americans, this incident raises important questions about accountability and resilience. The breach occurred during a period of transition, with the prior administration’s cyber policies under scrutiny. Many are left wondering whether delays in adopting robust security measures or lapses in oversight during previous years enabled adversaries to exploit American technology so effectively. The ongoing investigation and remediation will test the resolve of the current administration to defend U.S. sovereignty, secure government systems, and restore public confidence. As calls grow louder for tighter security, stricter controls on foreign technology, and greater investment in American cyber capabilities, this breach may mark a turning point in how the nation protects its most vital assets.
Sources:
Cyber Security Agency of Singapore (CSA)
