1. News
  2. Continued Microsoft SharePoint Server Fallout

Continued Microsoft SharePoint Server Fallout

Microsoft faces scrutiny of SharePoint patch timeline and China-based workforce while organizations deal with ransomware.

Jackie LeavittAleksander Hougen

Written by Jackie Leavitt (Editor at Large)

Reviewed by Aleksander Hougen (Co-Chief Editor)

Last Updated:

microsoft-sharepoint-fallout-featured-image

Microsoft has identified multiple Chinese nation-state actors in exploiting the SharePoint on-premise server vulnerability, including Linen Typhoon, Violet Typhoon and Storm-2603. 

The latest reporting indicates at least 400 organizations, agencies and businesses — largely based in the U.S. — have been affected, with many also dealing with ransomware. (The most common reason for ransomware attacks is an unexploited vulnerability — you can read more in our Ransomware Statistics guide.)

Many U.S. federal agencies are victims of SharePoint server breaches, including the National Nuclear Security Administration, the National Institutes of Health, the Department of Homeland Security, the Energy Department and Education Department; some state-based departments have also been impacted.

However, more organizations could be quietly facing breaches and ransomware, considering that more than 10,000 companies with SharePoint servers were at risk from the vulnerability, according to researcher Silas Culer at cybersecurity firm Censys.

Timeline Scrutiny

With the continued fallout from the SharePoint on-premise server attacks, Microsoft has faced criticism about its incomplete response to known vulnerabilities.

According to a Reuters timeline of the events, two SharePoint server vulnerabilities were first identified in May at a Berlin-based hacking competition that offered a $100,000 cash bounty for identifying SharePoint zero-day exploits. 

During the event, a researcher won the bounty by identifying a SharePoint “ToolShell” bug that exploited two vulnerabilities: CVE-2025-49704 and CVE-2025-49706. Microsoft released security updates on July 8 to fix the vulnerabilities. 

However, the ongoing SharePoint on-premise server exploitation began in early July, with Dutch cybersecurity firm Eye Security first discovering unusual activity on a customer’s server on July 18. The attacks utilize the same ToolShell bug to exploit new zero-day vulnerabilities CVE-2025-53770 and CVE-2025-53771.

Microsoft’s China-Based Workforce

Following the SharePoint on-premise server attacks from China-based actors, there has also been increased scrutiny of Microsoft’s decade-long reliance on its global workforce — including in China — to maintain the Government Community Cloud (GCC) systems. GCC is used by several U.S. federal departments. Using foreign support for GCC creates an opportunity for spying and sabotage, cybersecurity experts told ProPublica.

Defense Secretary Pete Hegseth launched a review of these practices and wrote in a post on X, “Foreign engineers — from any country, including of course China — should NEVER be allowed to maintain or access DoD systems.”

Microsoft said in a statement that it would take steps to ensure the security of Government Community Cloud data and conduct a review of additional security measures.

We will continue to report on this topic as more information becomes known.

↑ Top