Home > Security > Security News

US Fermi National Accelerator Laboratory Cyberattack Exploits Microsoft SharePoint Flaw, Report Says

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Critical Infrastructure, US Flag

A recent Fermilab cyberattack has surfaced following revelations of a broader campaign aimed at exploiting a Microsoft SharePoint vulnerability. Fermilab, one of the 17 national laboratories of the U.S. Department of Energy specializing in particle physics, is one of the several U.S infrastructure targets impacted in this wave of SharePoint attacks.

Attack Details  

The cyberattack exploited a previously disclosed vulnerability in the Microsoft SharePoint server software, which, although fixed by Microsoft, remained partially unpatched.

A Department of Energy spokesperson stated that the attackers attempted to breach Fermilab's SharePoint servers, but only minor disruptions occurred. The servers have since been restored to normal operation, the spokesperson also said.   

Thanks to DOE Office of Science’s cybersecurity investments, the attackers were quickly identified, and impact was minimal, with no sensitive or classified data accessed,they added, a Bloomberg News report said.

In a July 19 blog post, cybersecurity firm Eye Security reported a widespread campaign targeting Microsoft SharePoint, which they dubbed “ToolShell.” The exploitation pattern resembles what researchers at Eye Security recently dubbed the “ToolShell” SharePoint framework.

According to Satnam Narang, Senior Staff Research Engineer at Tenable, the flaw now identified as CVE-2025-53770 enables attackers to steal MachineKey configuration details (including validationKey and decryptionKey), which could be used to gain unauthenticated remote code execution on unpatched SharePoint servers.

“The attack surface for this vulnerability is large, at over 9,000 externally accessible SharePoint servers, and it is used by a variety of organisations,” Narang said. “We strongly advise organisations to begin conducting incident response investigations to identify potential compromise, or apply the available patches and review Microsoft’s mitigation guidance,” warned Narang.

Microsoft began releasing patches on July 20 for SharePoint Server 2019 and the Subscription Edition; a fix for Server 2016 is expected shortly.

Larger Impact

Microsoft reported that this effort is part of a larger wave of cyber espionage targeting organizations using outdated or vulnerable SharePoint software, apparently with a focus on U.S infrastructure. 

Last week, Reuters reported that a U.S. Department of Energy spokesperson stated that a SharePoint hack affected its systems, including those of the National Nuclear Security Administration, on July 18.

According to sources cited by NextGov, speculation continues that entities such as DHS, NIH, and the Qatari government may have been impacted, though no formal confirmation has been issued.

Microsoft has attributed portions of the campaign to threat actors it tracks as Linen Typhoon, Violet Typhoon, and Storm-2603, all reportedly linked to the Chinese government. However, these specific groups have not been formally tied to the Fermilab breach.

In previous campaigns, Storm-2603 has been associated with deploying ransomware such as Warlock and LockBit, though there is no public confirmation of ransomware deployment in the Fermilab incident.

Implications  

The attack highlights enduring challenges related to patch management and the protection of critical infrastructure systems.  

Organizations must adopt an exposure management platform that integrates with existing security tools to gain a unified view of their infrastructure and identify complex attack paths before exploitation, according to Bob Huber, Chief Security Officer at Tenable. 

With Microsoft's deep integration into global government systems, this issue extends beyond corporate concerns to a critical matter of national security, demanding urgent attention, Huber believes.

Patch updates are available for all affected SharePoint versions, including 2016, 2019, and the Subscription Edition.  

Add a Comment
Related
Scattered Spider, Man, Network
Scattered Spider Reportedly Deploys DragonForce Ransomware, CISA Advisory Notes Enhanced TTPs
Pharmacy
Cyberattacks Disrupt Russian Pharmacy Chains Stolichki and Neopharm, Primarily in Moscow
Infostealer
Obj3ctivity Stealer Keeps Evolving, Targeting Credentials, Crypto Wallets, Chat App Data via Phishing Emails
Hacker, Screen
Allianz Life Breach Linked to Social Engineering Attack on Third-Party CRM
Autocolor Malware, RAT
Auto-Color RAT Exploits SAP NetWeaver Vulnerability in Stealthy Attacks
Tea Dating App
Tea App Data Breach Worsens with User Chats Exposure in Second Data Leak
Most Popular
UK’s Age Verification Law Goes Live What It Means for Users and Privacy
UK’s Age Verification Law Goes Live: What It Means for Users and Privacy
NordVPN Introduces Scam Call Protection for U.S. Android Users
NordVPN Introduces Scam Call Protection for U.S. Android Users
Turkey Introduces New eSIM and VPN Limits for Travelers
Turkey Introduces New eSIM and VPN Limits for Travelers
Scattered Spider, Man, Network
Scattered Spider Reportedly Deploys DragonForce Ransomware, CISA Advisory Notes Enhanced TTPs
Pharmacy
Cyberattacks Disrupt Russian Pharmacy Chains Stolichki and Neopharm, Primarily in Moscow
Infostealer
Obj3ctivity Stealer Keeps Evolving, Targeting Credentials, Crypto Wallets, Chat App Data via Phishing Emails
UK’s Age Verification Law Goes Live: What It Means for Users and Privacy
NordVPN Introduces Scam Call Protection for U.S. Android Users
Turkey Introduces New eSIM and VPN Limits for Travelers
Scattered Spider Reportedly Deploys DragonForce Ransomware, CISA Advisory Notes Enhanced TTPs
Cyberattacks Disrupt Russian Pharmacy Chains Stolichki and Neopharm, Primarily in Moscow
Obj3ctivity Stealer Keeps Evolving, Targeting Credentials, Crypto Wallets, Chat App Data via Phishing Emails

Most Popular
UK’s Age Verification Law Goes Live What It Means for Users and Privacy
UK’s Age Verification Law Goes Live: What It Means for Users and Privacy
NordVPN Introduces Scam Call Protection for U.S. Android Users
NordVPN Introduces Scam Call Protection for U.S. Android Users
Turkey Introduces New eSIM and VPN Limits for Travelers
Turkey Introduces New eSIM and VPN Limits for Travelers
Scattered Spider, Man, Network
Scattered Spider Reportedly Deploys DragonForce Ransomware, CISA Advisory Notes Enhanced TTPs
Pharmacy
Cyberattacks Disrupt Russian Pharmacy Chains Stolichki and Neopharm, Primarily in Moscow
Infostealer
Obj3ctivity Stealer Keeps Evolving, Targeting Credentials, Crypto Wallets, Chat App Data via Phishing Emails
UK’s Age Verification Law Goes Live: What It Means for Users and Privacy
NordVPN Introduces Scam Call Protection for U.S. Android Users
Turkey Introduces New eSIM and VPN Limits for Travelers
Scattered Spider Reportedly Deploys DragonForce Ransomware, CISA Advisory Notes Enhanced TTPs
Cyberattacks Disrupt Russian Pharmacy Chains Stolichki and Neopharm, Primarily in Moscow
Obj3ctivity Stealer Keeps Evolving, Targeting Credentials, Crypto Wallets, Chat App Data via Phishing Emails

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: