US Leads Global List with 396 Hacked SharePoint Systems
▼ Summary
– 396 systems were compromised due to exploitation of the Microsoft SharePoint zero-day vulnerability (CVE-2025-53770/53771), affecting 145 organizations across 41 countries.
– The US had the highest number of affected organizations (31%), followed by Mauritius (8%), Germany (7%), and France (5%), with Mauritius potentially targeted due to US government presence.
– Government organizations were the most targeted (30% of infections), suggesting a deliberate campaign focused on strategic or intelligence value.
– The education sector (13%), SaaS providers (9%), telecom firms (4%), and power grids (4%) were also impacted, with attacks expected to escalate via ransomware and supply chain threats.
– The exploit has been incorporated into open-source tools like Metasploit, enabling low-skilled attackers to exploit unpatched systems, with additional threat actors likely involved.
A recent cybersecurity investigation has uncovered 396 compromised systems worldwide due to a critical Microsoft SharePoint vulnerability (CVE-2025-53770/53771). The breach, discovered by Dutch firm Eye Security, targeted organizations across 41 countries, with the United States accounting for nearly a third of all attacks. Government agencies emerged as the primary victims, representing 30% of confirmed infections, followed by educational institutions and technology providers.
During a five-day analysis of 27,000 SharePoint servers, researchers identified 145 organizations impacted by the exploit, with Mauritius, Germany, and France also experiencing significant breaches. Notably, Mauritius’ high attack rate may stem from its concentration of U.S. government entities, though no official confirmation has been provided. Two Jordanian organizations also reported unusually aggressive targeting, hinting at a deliberate campaign rather than random exploitation.
Government systems, particularly those handling sensitive data, were disproportionately affected, with speculation that U.S. nuclear, homeland security, and health agencies may have been compromised. Large enterprises and public-sector bodies often rely on on-premises SharePoint deployments for enhanced control, making them prime targets for sophisticated attackers. “This wasn’t opportunistic, it was precision-driven,” emphasized Lodi Hensen of Eye Security, suggesting the attackers prioritized high-value intelligence targets.
Beyond government entities, 13% of breaches hit the education sector, while SaaS providers, telecom firms, and power grids each accounted for smaller but concerning shares. Experts warn that exploitation is far from over, with ransomware and supply chain attacks likely to escalate. Microsoft initially linked the attacks to Chinese state-affiliated groups like Linen Typhoon and Storm-2603, but the flaw’s public disclosure has lowered the barrier for entry. Cybercriminals with minimal technical skills can now weaponize the vulnerability, thanks to its integration into widely available hacking tools like Metasploit.
Eye Security has urged organizations using on-premises SharePoint to adopt a “assume breach” mindset, verifying patches and conducting proactive threat hunts. While Microsoft’s attribution points to three primary threat actors, the exploit’s accessibility means additional groups, including financially motivated hackers, are likely exploiting the flaw. With no signs of slowdown, businesses and agencies must prioritize defensive measures to mitigate further damage.
(Source: InfoSecurity)
