SharePoint Zero-Day Exploit Under Attack - Microsoft Security
SharePoint Security Vulnerability Under Active Attack
A recently discovered security flaw within Microsoft’s SharePoint platform is currently being exploited by malicious actors, according to the U.S. federal government and cybersecurity researchers.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning this weekend regarding the active exploitation of this vulnerability. Currently, Microsoft has not released patches for all impacted SharePoint versions.
Details of the Vulnerability
Officially designated as CVE-2025-53770, the flaw affects SharePoint installations that organizations manage on their own servers. SharePoint serves as a crucial tool for businesses to store, share, and effectively manage internal files.
Microsoft has affirmed its commitment to developing security updates to address and prevent exploitation of this vulnerability. This flaw is categorized as a “zero-day” vulnerability, meaning it was actively exploited before a patch could be developed.
The vulnerability impacts SharePoint versions dating back to SharePoint Server 2016.
Scope of the Impact
While the total number of compromised servers remains unknown, it is anticipated that thousands of small and medium-sized businesses relying on the software are affected. Reports from The Washington Post indicate that several U.S. federal agencies, universities, and energy companies have already experienced breaches.
Eye Security, the firm that initially disclosed the vulnerability on Saturday, reported identifying “dozens” of Microsoft SharePoint servers actively being exploited at the time of their announcement.
Successful exploitation allows attackers to steal private digital keys from SharePoint servers without requiring login credentials. This access enables remote malware deployment and unauthorized access to stored files and data.
Potential for Wider Network Compromise
Eye Security highlights that SharePoint’s integration with other applications, such as Outlook, Teams, and OneDrive, could facilitate further network compromise and data theft.
Due to the theft of digital keys enabling impersonation of legitimate server requests, affected customers must not only apply the patch when available but also rotate their digital keys to prevent re-compromise.
Recommended Actions
CISA and other security organizations are urging customers to “take immediate recommended action.” In the absence of available patches or mitigations, disconnecting potentially affected systems from the internet is advised.
Michael Sikorski, head of Palo Alto Networks’ threat intelligence division Unit 42, stated in an email to TechCrunch, “If you have SharePoint [on-premise] exposed to the internet, you should assume that you have been compromised at this point.”
Recent Trends in Cyberattacks Targeting Microsoft
The identity of the attackers remains unknown, but this incident represents the latest in a series of cyberattacks targeting Microsoft customers in recent years.
In 2021, the China-backed hacking group Hafnium exploited a vulnerability in self-hosted Microsoft Exchange email servers, resulting in widespread hacking and data exfiltration. Over 60,000 servers were compromised, as detailed in a recent Justice Department indictment.
Two years later, Microsoft confirmed a cyberattack on its own cloud systems, allowing Chinese hackers to steal a sensitive email signing key, granting access to both consumer and enterprise email accounts.
Microsoft has also consistently reported intrusions from hackers linked to the Russian government.
For those with additional information regarding these SharePoint cyberattacks, or if you are an affected customer, please securely contact this reporter via encrypted message at zackwhittaker.1337 on Signal.
Please note: An earlier version of this article contained an incorrect CVE number. This has been corrected to CVE-2025-53770.