China Is Inside DHS's Own Threat-Sharing Network. The Bug They Used Has Been on CISA's Known-Exploited List Since 2025.
- Patrick Duggan
- 2 hours ago
- 4 min read
The Department of Homeland Security exists, in part, to warn everyone else about cyber threats. Its Homeland Security Information Network — HSIN — is the platform where DHS shares sensitive, unclassified intelligence with federal, state, local, and private-sector partners: alerts, incident coordination, information about persons of interest. This week, DHS confirmed that HSIN and a connected SharePoint collaboration server were breached. The watchmen's own watchtower got walked into. And here is the part that should stop you cold: the vulnerability they walked in through is not new. It has been sitting on CISA's Known Exploited Vulnerabilities list since 2025. The whole story is in that one sentence.
What actually happened
DHS headquarters, several of its component agencies, and the Department of Health and Human Services — reporting also names NIH — were compromised as part of a much wider campaign against Microsoft SharePoint. The Shadowserver Foundation has counted at least three to four hundred confirmed compromises worldwide. Microsoft has attributed the initial waves to two China-nexus nation-state actors it tracks as Linen Typhoon and Violet Typhoon.
DHS, to its credit, has been measured: a spokesperson confirmed the incident, said classified systems were not affected, and stated there is no evidence of data exfiltration from DHS or its components at this time. Hold onto that "at this time" — it is honest, and it is not the same as "nothing was taken."
The vector: ToolShell, and why the name matters
The intrusions ride an exploit chain the industry calls ToolShell. It is not a single bug; it is a sequence — remote code injection plus a spoofing weakness, tracked as CVE-2025-49704 and CVE-2025-49706, extended by two freshly-catalogued defects, CVE-2025-53770 (a critical remote-code-execution flaw) and CVE-2025-53771 (a security-bypass). Chained, ToolShell lets an attacker reach an on-premises SharePoint server, execute code, and bypass multi-factor authentication and single sign-on outright.
The MFA bypass is the sharp edge. ToolShell steals the SharePoint server's cryptographic machine key. Once an attacker has that key, they can mint their own authentication tokens — which means patching the server after the fact does not evict them. You have to patch and rotate the stolen keys. Every organization that applied the update but skipped the key rotation is potentially still hosting its visitor.
The old religion: this was known-exploited for a year
Now the thing that makes this a DugganUSA story rather than a wire re-post.
We keep a live mirror of CISA's Known Exploited Vulnerabilities catalog and cross-reference it on every scan. We went and looked, because that is the discipline. All three of the core ToolShell identifiers — CVE-2025-49704, CVE-2025-49706, and CVE-2025-53770 — are in our KEV index right now, and they have been. These are not zero-days that dropped on DHS out of a clear sky. They are 2025-vintage, publicly-catalogued, government-flagged, actively-exploited SharePoint flaws that the United States government's own cyber agency told everyone to patch last year.
So the headline is not "China found a new way in." The headline is "China used an old, known, catalogued, told-you-so way in, and it worked against the Department of Homeland Security." The bug is old-time religion. What is new is only the pew it is sitting in.
This is the pattern we keep naming, and it keeps being right: the novelty is almost never the attack. The novelty is the door the defender left standing open. A perfect exploit chain is worth nothing against a patched, key-rotated server. It is worth an entire federal agency against an unpatched one.
What to actually do
If you run SharePoint on-premises, this is the checklist, and none of it is exotic:
Patch to the current builds that close CVE-2025-53770 and CVE-2025-53771 — and the earlier -49704 and -49706 if you somehow still have not. Then rotate the SharePoint machine keys, because the patch alone does not undo a stolen key; assume the key is stolen if the server was internet-facing at any point since 2025. Hunt for the persistence: unexpected .aspx files in the LAYOUTS directory, anomalous IIS worker activity, freshly-created privileged accounts. Pull internet-facing SharePoint behind access controls it never should have been in front of. And treat the KEV catalog as an order, not a newsletter — because that is the single control that would have prevented this entire incident.
Why we are saying it this way
We did not discover this breach, and we will not pretend we did — the reporting is Microsoft's, CISA's, and the outlets that broke it. What we are adding is the frame the daily coverage keeps missing: the vulnerabilities that just breached the Department of Homeland Security have been on the government's own known-exploited list for roughly a year, and we can show you they are in the feed. The Known Exploited Vulnerabilities catalog is only a defense if someone acts on it. When even DHS does not, the lesson is not "SharePoint is dangerous." The lesson is that a warning nobody patches is just a very well-documented breach.
We will cap it at ninety-five percent, as always: attribution can shift, the exfiltration picture at DHS may change as the investigation matures, and the victim count will keep climbing. But the shape is not in doubt. The oldest religion in security is patch management, and this week it took down the house that is supposed to preach it.
The threat feed this post is built on
1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.
