Global Alert: Zero-Day Exploit Targets Microsoft SharePoint Servers, Compromising 100+ Organizations

 

News of the hack did not impact the tech giant’s stock [File: Jason Redmond/AP Photo]

Global Alert: Zero-Day Exploit Targets Microsoft SharePoint Servers, Compromising 100+ Organizations

WASHINGTON D.C. – July 23, 2025 – A widespread cyber espionage operation exploiting a previously unknown vulnerability in Microsoft's self-hosted SharePoint server software has compromised at least 100 organizations globally over the past weekend.¹ Cybersecurity firms and a non-profit foundation have swiftly uncovered the scale of the attack, triggering urgent warnings for organizations worldwide to patch their systems.²

The "Zero-Day" Threat: Unveiling CVE-2025-53770

On Saturday, Microsoft issued an alert confirming "active attacks" on on-premises SharePoint servers, which are widely used for internal document sharing and collaboration.³ Crucially, SharePoint instances running off Microsoft's cloud-based servers (Microsoft 365) remain unaffected.

The vulnerability, now identified as CVE-2025-53770, is a "zero-day" exploit, meaning it leverages a digital weakness previously undisclosed to Microsoft and the wider cybersecurity community.⁴ This critical flaw allows attackers to bypass authentication, achieve remote code execution (RCE), and potentially drop persistent backdoors, granting them continuous access to victim networks.⁵ Security researchers indicate that this is a variant of an earlier vulnerability, CVE-2025-49706, which Microsoft had partially addressed in its July updates.⁶ The current exploit essentially acts as a "patch bypass," indicating a sophisticated attack.⁷

Scale of Compromise and Affected Regions

Vaisha Bernard, Chief Hacker at Eye Security, a Netherlands-based cybersecurity firm that first detected the campaign targeting one of its clients on Friday, confirmed the widespread impact.⁸ Collaborating with the Shadowserver Foundation, an internet scan revealed nearly 100 compromised victims even before the exploit technique became widely known.⁹ Bernard emphasized the severity, stating, "It's unambiguous. Who knows what other adversaries have done since to place other backdoors."

The Shadowserver Foundation corroborated the figure, noting that the majority of affected organizations are located in the United States and Germany, with government entities among the victims.¹⁰ Rafe Pilling, Director of Threat Intelligence at Sophos, a British cybersecurity firm, suggested that, for now, the spying appears to be the work of a single threat actor or a small group, though he warned, "It's possible that this will quickly change."¹¹

Microsoft's Response and Urgent Recommendations

A Microsoft spokesperson stated that the company has "provided security updates and encourages customers to install them."¹² Microsoft has released emergency patches for SharePoint Server 2019 and SharePoint Server Subscription Edition, while a fix for SharePoint Server 2016 is still under development.¹³

Cybersecurity experts, including Daniel Card of British consultancy PwnDefend, strongly advise an "assumed breach approach."¹⁴ This means organizations should not merely apply the patch but also investigate thoroughly for any signs of compromise, as attackers may have already established persistent access. Key recommendations from Microsoft and other security firms include:

• Immediately apply all available security updates.

• Enable Antimalware Scan Interface (AMSI) integration and deploy robust antivirus solutions like Defender AV on all SharePoint servers.¹⁵

• Rotate server security keys after patching to invalidate any stolen credentials.¹⁶

• Monitor for suspicious files (e.g., spinstall0.aspx) and unusual process chains originating from the IIS worker process (e.g., w3wp.exe ➝ cmd.exe ➝ powershell.exe -EncodedCommand).¹⁷

• If immediate patching is not possible, disconnect vulnerable SharePoint servers from the internet.¹⁸

Who is Behind the Attack?

The identity of the perpetrators behind this ongoing cyberattack remains unconfirmed. The FBI acknowledged awareness of the attacks on Sunday, stating they are working with federal and private-sector partners but offered no further details.¹⁹ Britain's National Cyber Security Centre (NCSC) reported "a limited number" of targets in the United Kingdom. Early indications suggest the campaign was initially focused on a narrow set of government-related organizations. However, some researchers, including those from Google Cloud's Mandiant Consulting, have assessed that at least one of the actors responsible for early exploitation is a China-nexus threat actor, suggesting a state-sponsored or state-affiliated group.²⁰

Vast Attack Surface and Broader Implications

The potential pool of targets remains immense. Data from Shodan, an internet-connected device search engine, indicates over 8,000 online servers could still be vulnerable. These encompass a wide range of sectors, including major industrial firms, banks, auditors, healthcare companies, and various US state-level and international government entities.²¹

"The SharePoint incident appears to have created a broad level of compromise across a range of servers globally," noted Daniel Card.²² The swift and widespread nature of this "zero-day" exploitation highlights the persistent and evolving threat landscape facing organizations reliant on critical server software. Cybersecurity vigilance and proactive patching are paramount to mitigate the risks posed by such sophisticated cyber espionage operations.

Microsoft's stock, despite the cyber incident, saw a modest increase of 0.06 percent by 3 PM ET, indicating that investors may be confident in the company's ability to manage the fallout. However, the true impact on victim organizations and the long-term implications for global cybersecurity remain to be fully assessed.