On August 9, 2025, the Canadian House of Commons experienced a cyberattack in which threat actors exploited a recently disclosed Microsoft vulnerability to gain unauthorized access to sensitive employee data.
The incident highlights the persistent cybersecurity challenges facing Canadian government institutions amid a rapidly escalating global threat landscape.
Details of the Breach
According to an internal email obtained by CBC News, House of Commons staff were notified on Monday about the breach, which occurred the previous Friday.
Attackers leveraged a recent Microsoft vulnerability to infiltrate a database containing critical information used to manage computers and mobile devices across the parliamentary network.
The stolen data includes:
- Employee names
- Job titles
- Office locations
- Email addresses
- Technical details of House of Commons-managed computers and mobile devices
Cybersecurity analysts warn that such information could be weaponized for targeted phishing attacks, impersonation campaigns, or deeper infiltration attempts against parliamentarians and staff.
Possible Vulnerability – CVE-2025-53770 “ToolShell”
Authorities have not yet disclosed which specific Microsoft flaw was used, but experts point to recent critical vulnerabilities under active exploitation.
The timeline matches the widespread abuse of CVE-2025-53770, a SharePoint Server flaw with a CVSS score of 9.8, dubbed “ToolShell”. This vulnerability allows unauthenticated remote code execution via unsafe deserialization of untrusted data in on-premises SharePoint servers.
Ongoing Investigation
The Communications Security Establishment (CSE) confirmed awareness of the incident and is assisting the House of Commons. Officials have yet to attribute the attack to a specific group.
“Attribution of a cyber incident is difficult,” CSE stated. “Investigating such activity requires significant time and resources, and involves many factors.”
The House of Commons has advised all members and employees to remain vigilant, warning that the stolen data could be exploited for scams or impersonation attempts.
Rising Cyber Threats Against Canada
This attack comes amid an increasing wave of cyberattacks targeting Canadian government systems. The National Cyber Threat Assessment 2025–2026 warns of an “expanding and complex cyber threat landscape” involving both state-sponsored and criminal actors.
Microsoft’s August 2025 Patch Tuesday addressed 107 vulnerabilities, including 13 critical flaws. Notable among them is CVE-2025-53779, a Windows Kerberos vulnerability enabling unauthenticated attackers to gain domain administrator privileges.
The SharePoint vulnerabilities disclosed in July 2025 have been particularly exploited by Chinese state-linked hackers and ransomware gangs. Targets have included:
- U.S. National Nuclear Security Administration
- Department of Education
- Government agencies in Europe and the Middle East
These incidents emphasize the urgent need for stronger patch management and proactive defense strategies across public sector institutions.
