This is a developing story, and we will update it with more information as it becomes available.
The Microsoft SharePoint vulnerability known as "ToolShell" is the center of global attacks across United States federal and state agencies. Universities, energy companies, and an Asian telecommunications company have also been attacked.
In total, more than 50 organizations have been affected by a pair of recently discovered zero-day vulnerabilities. Among those organizations are the National Nuclear Security Administration (NNSA) and the Energy Department.
The NNSA is a semiautonomous arm of the Energy Department. Among other broad-ranging responsibilities, the NNSA produces and dismantles nuclear arms. The agency is also involved in counterterrorism efforts and the transportation of nuclear weapons.
According to a person with knowledge of the situation who spoke with Bloomberg, no sensitive or classified information is known to have been compromised in the attack.
The Energy Department shared the following statement with Bloomberg:
“On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy. The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. All impacted systems are being restored.”
Microsoft shared additional details about the attack in a security blog post. The tech giant confirmed that it observed two named Chinese nation-state actors exploiting the SharePoint vulnerabilities.
The actors, Linen Typhoon and Violet Typhoon, targeted internet-facing SharePoint servers.
The vulnerabilities, labeled CVE-2025-53770 and CVE-2025-53771, affect on-premises servers, meaning cloud-based servers are unaffected.
Microsoft has issued out-of-band security updates to address the vulnerabilities.
Bloomberg noted that the full extent of the damage is not clear at this time.
Lotem Finkelstein, Director of Threat Intelligence at Check Point Research, called the attacks "an urgent and active threat," noting that the vulnerabilities place thousands of organizations at risk.
Microsoft has released security updates to all supported versions of SharePoint, but those updates now need to be applied. The tech giant also shared guidance for customers using SharePoint Server.
