Anatomy of a Breach

Anatomy of a Breach: Microsoft SharePoint — Zero-Day Exploited by Three Chinese Groups, 400+ Organisations Compromised Including NNSA

> series: anatomy_of_a_breach —— part: 199 —— target: microsoft_sharepoint —— groups: 3_chinese_apt —— organisations: 400+ —— includes: us_nuclear_security<span class="cursor-blink">_</span>_

Hedgehog Security 31 July 2025 14 min read
microsoft-sharepoint zero-day china nnsa 400-organisations nation-state series
Breach #199

SharePoint. Three Chinese groups. 400+ organisations. Including the agency that manages US nuclear weapons.

In July 2025, it was revealed that a zero-day vulnerability in Microsoft SharePoint — the file sharing and collaboration platform used by millions of organisations worldwide — had been exploited by three separate Chinese government-linked hacking groups to compromise over 400 organisations. The victims included the US National Nuclear Security Administration (NNSA), the federal agency responsible for maintaining and developing the US stockpile of nuclear weapons, along with major corporations and sensitive government agencies across multiple countries.

The vulnerability enabled remote code execution against self-hosted SharePoint servers — providing attackers with full access to the files, documents, and data stored on the platform. Even after the vulnerability was publicly disclosed and patches were available, thousands of vulnerable self-hosted SharePoint servers remained online. The SharePoint zero-day was the most significant Microsoft platform vulnerability since the Exchange/Hafnium (2021) mass exploitation event — and raised the same questions about the security implications of concentrating sensitive data in a single Microsoft platform.

Platform Concentration Risk
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

When everyone puts their files in SharePoint, SharePoint becomes the ultimate target.

Nuclear Security Agency Compromised
The compromise of the NNSA — responsible for US nuclear weapons — through a collaboration platform vulnerability demonstrated that the most sensitive government data is accessible through commonly-used enterprise software. For UK organisations in the <a href="/blog/sector-under-the-microscope-defence-supply-chain">defence supply chain</a>, platform security is national security. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses SharePoint and collaboration platform security.
Three Chinese Groups Simultaneously
Three separate Chinese APT groups exploited the same vulnerability — demonstrating the breadth of Chinese cyber espionage capabilities and the value nation-states place on accessing collaboration platform data. <a href="https://www.cyber-defence.io/services/threat-intelligence">UK Cyber Defence's threat intelligence</a> tracks nation-state campaigns targeting enterprise platforms.
Self-Hosted Servers Remain Vulnerable
Thousands of self-hosted SharePoint servers remained unpatched even after disclosure — the same patching gap pattern documented from <a href="/blog/anatomy-of-a-breach-wannacry">WannaCry</a> (2017) to <a href="/blog/anatomy-of-a-breach-hafnium-exchange">Exchange/Hafnium</a> (2021). <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates 14-day patching. <a href="/vulnerability-scanning">Vulnerability scanning</a> identifies unpatched SharePoint servers.
Cloud vs Self-Hosted Risk
SharePoint Online (in Microsoft 365) is patched by Microsoft; self-hosted SharePoint servers must be patched by the organisation. The zero-day affected self-hosted deployments — reinforcing the security advantage of cloud-managed platforms where the vendor handles patching. Our <a href="/penetration-testing/cloud-configuration-review">cloud configuration reviews</a> assess platform deployment models and associated risk.
Lessons

Your collaboration platform holds your secrets. Secure it accordingly.

The SharePoint zero-day proved that collaboration platforms — which hold organisations' most sensitive documents, communications, and intellectual property — are priority targets for nation-state espionage. Cyber Essentials mandates patching and secure configuration. Vulnerability scanning identifies unpatched SharePoint servers. Infrastructure testing assesses collaboration platform security. SOC in a Box monitors for exploitation attempts. And UK Cyber Defence provides incident response when collaboration platforms are compromised.

Collaboration Platform Security

SharePoint: 400+ organisations compromised including nuclear security. Is your collaboration platform patched?

<a href="/vulnerability-scanning">Vulnerability scanning</a> finds unpatched SharePoint. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> assesses platform security. <a href="/cyber-essentials">Cyber Essentials</a> mandates patching.

Commission a Platform Security Assessment Next: Collins Aerospace / Airports
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 January 2010

Anatomy of a Breach: Operation Aurora — When China Hacked Google

Breach #013 in our Anatomy of a Breach series. In January 2010, Google disclosed that it had been the victim of a sophisticated cyberattack originating from China. Operation Aurora — named after a file path in the malware — targeted 34 companies including Adobe, Yahoo, Symantec, and Northrop Grumman, using an Internet Explorer zero-day to steal intellectual property and access the Gmail accounts of Chinese human rights activists. The attack that proved nation-state cyber espionage was no longer just a military concern.

data-breach operation-aurora
14 min read
Anatomy of a Breach 31 July 2023

Anatomy of a Breach: Barracuda ESG — The Security Appliance So Compromised That 'Replace, Don't Patch' Was the Only Answer

Breach #175. In May 2023, Barracuda Networks disclosed that a zero-day vulnerability (CVE-2023-2868) in its Email Security Gateway (ESG) appliance had been exploited since at least October 2022 — seven months of undetected access. The attack, attributed to a Chinese espionage group (UNC4841), deployed persistent backdoors on the appliances. On 6 June, Barracuda took the extraordinary step of advising all customers with compromised ESG appliances to physically replace the hardware — stating that patching was insufficient because the attackers' persistence mechanisms could survive software updates. It was the first time a major vendor had told customers to throw away their security appliances.

barracuda esg
13 min read
Anatomy of a Breach 31 March 2021

Anatomy of a Breach: Microsoft Exchange and Hafnium — 250,000 Servers Compromised in a Global Mass Exploitation Event

Breach #147. In March 2021, Microsoft disclosed that Hafnium — a Chinese state-sponsored threat group — had been exploiting four zero-day vulnerabilities in Microsoft Exchange Server (collectively known as ProxyLogon) to compromise on-premises Exchange servers worldwide. The vulnerabilities allowed unauthenticated remote code execution, enabling attackers to access email, install web shells for persistent access, and move laterally through networks. An estimated 250,000 Exchange servers globally were compromised before patches were applied — including thousands of UK organisations. The mass exploitation was indiscriminate: once the vulnerabilities became public, multiple threat groups began scanning and exploiting every unpatched Exchange server on the internet.

microsoft-exchange hafnium
14 min read
All Posts Get in Touch