Microsoft’s Delayed Patch Enabled Chinese Hackers to Breach US Nuclear Systems—Echoes of Previous Microsoft Cloud Breaches in 2024

Three Chinese state-sponsored hacking groups—Linen Typhoon, Violet Typhoon, and Storm-2603—exploited vulnerabilities in Microsoft SharePoint servers to breach over 100 organizations globally, including the US National Nuclear Security Administration (NNSA), which oversees the US nuclear arsenal. The attackers bypassed security protocols to access sensitive networks handling confidential documents and system controls, though officials confirm no classified nuclear information was stolen.

The incident highlights yet another failure in Microsoft’s patching process, as the initial patch in May 2025 failed to fully address the vulnerabilities (designated CVE-2025-49706 and CVE-2025-49704). Federal cybersecurity agencies and private experts criticized Microsoft’s slow response, arguing that the delay allowed hackers to infiltrate critical US infrastructure—including energy and government systems—before comprehensive fixes were deployed.

How Did Microsoft’s Delayed Patching Enable the Breach?

The flaws in on-premises SharePoint servers were first identified during Berlin’s Pwn2Own hacking competition in May 2025, but Microsoft’s incomplete patch left systems exposed for weeks. The vulnerabilities let attackers spoof user identities, bypassing multi-factor authentication.

“This window of exposure allowed Chinese groups to target US nuclear infrastructure,” said Charles Carmakal, CTO at Mandiant, emphasizing that faster patching could have prevented the breach.

**Was Nuclear Secrets Data Compromised?**

While the NNSA’s administrative networks were breached, officials insist classified systems remained untouched. However, experts warn that even non-classified breaches can expose operational insights—valuable for future attacks.

Microsoft’s Response—Too Little, Too Late?

Microsoft issued emergency patches and urged organizations to update immediately. The company also announced weekly security reviews and hired executives with government security backgrounds—a move demanded by a 2024 federal panel after prior cloud breaches.

• Sen. Ron Wyden accused Microsoft of prioritizing profit over security, citing reliance on foreign engineers for US government projects.
• A federal review panel had already called for breaking up Microsoft’s monopoly on federal cloud contracts to reduce systemic risks.

Global Fallout

The same SharePoint flaws are now being exploited by non-Chinese hacking groups, escalating global cybersecurity threats. Meanwhile, China denies involvement, calling US accusations baseless smears.

A Recurring Nightmare

This breach mirrors Microsoft’s 2023–2024 cloud vulnerabilities, where Chinese hackers stole emails from US ambassadors and Cabinet members. The pattern raises urgent questions: Can the US trust Microsoft with national security systems?

The White House and CISA are assessing damage—but with no major reforms yet, the risk persists.