A foreign threat actor infiltrated the Kansas City National Security Campus (KCNSC) by exploiting unpatched Microsoft SharePoint vulnerabilities, according to a source involved in an August incident response at the facility.
The campus, which produces the majority of non-nuclear components for US nuclear weapons under the National Nuclear Security Administration and is managed by Honeywell Federal Manufacturing & Technologies under contract, did not respond to repeated requests for comment, the article said. NSA public affairs officer Eddie Bennett told CSO he had nothing to contribute and referred the outlet to the Department of Energy.
Investigators say the attackers exploited two disclosed on-premises SharePoint flaws, CVE-2025-53770 and CVE-2025-49704, and Microsoft issued fixes on July 19, according to the company. The NNSA was one of the organizations the agency said was hit by attacks tied to the SharePoint flaws, a development it confirmed on July 22. Federal responders, including personnel from the NSA, were on site at the Kansas City facility by early August, the source told CSO.
Attribution remains contested. Microsoft attributed the broader wave of SharePoint exploitations to Chinese-linked groups, but the source familiar with the Kansas City incident said a Russian actor was responsible. Cybersecurity firm Resecurity reviewed data showing primarily Chinese activity but did not rule out Russian involvement. Researchers also note that demonstrations of chained SharePoint flaws by Viettel Cyber Security likely sped reverse engineering and wider exploitation.
The intrusion targeted the IT side of the campus, but experts warn about possible lateral movement into operational technology that supports manufacturing. The campus web profile and Department of Energy materials note its role in producing critical components and services, including metallurgical analysis and environmental testing. Jen Sovada, general manager of public sector operations at Claroty, told CSO that facilities with interconnected functions can be exposed if IT and OT are not properly segmented; her profile is available on LinkedIn. Observers say federal zero-trust guidance for IT must be aligned with emerging OT controls such as those outlined in a published IT fan chart and a developing OT fan chart for operational technology.
Officials say there is no evidence that classified information was compromised, but specialists caution that unclassified technical data can still have strategic value. Experts told CSO that even if financially motivated actors were responsible, accessed material could be useful to state actors. The incident underscores concerns about the convergence of IT and OT security across critical defense infrastructure and the need to extend zero-trust principles into operational environments.