Microsoft SharePoint Zero-Day Exploit Sparks Widespread Attacks
▼ Summary
– A newly discovered security bug in Microsoft SharePoint is being actively exploited by hackers, according to U.S. cybersecurity agency CISA and researchers.
– Microsoft has not yet released patches for all affected SharePoint versions, leaving many customers vulnerable to ongoing attacks.
– The bug, CVE-2025-53771, affects self-hosted SharePoint servers and allows hackers to steal digital keys, plant malware, and access stored data without credentials.
– Cybersecurity firm Eye Security warns affected customers must patch the bug and rotate digital keys to prevent further compromise, as SharePoint connects to other apps like Outlook and Teams.
– The attacks resemble past cyberattacks on Microsoft systems, including breaches by China-backed and Russia-linked hackers, though the current perpetrators remain unknown.
A critical zero-day vulnerability in Microsoft SharePoint has triggered widespread cyberattacks, putting businesses and government agencies at risk of data breaches. Security experts warn that hackers are actively exploiting the flaw before patches become available, leaving organizations scrambling to protect sensitive information stored on vulnerable servers.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert over the weekend, confirming that threat actors are leveraging the unpatched vulnerability, officially tracked as CVE-2025-53771. This flaw impacts on-premises SharePoint deployments, including versions as old as SharePoint Server 2016, which many businesses still rely on for document management and collaboration.
Microsoft has acknowledged the issue and is developing fixes, but the company had zero warning before attackers began exploiting the weakness. Early reports suggest thousands of organizations, particularly small and midsize businesses, universities, and federal agencies, may already be compromised. The Washington Post revealed that several energy companies and government entities have fallen victim to these intrusions.
Eye Security, the firm that first uncovered the vulnerability, discovered dozens of compromised SharePoint servers shortly after identifying the flaw. Hackers exploiting the bug can steal digital authentication keys without requiring login credentials, granting them unrestricted access to stored files and connected applications like Outlook, Teams, and OneDrive. This creates a domino effect, enabling attackers to move laterally across networks and exfiltrate sensitive data.
Security teams are urging immediate action, emphasizing that patching alone may not be enough. Organizations must also rotate compromised encryption keys to prevent attackers from maintaining persistence. In the absence of official fixes, experts recommend disconnecting vulnerable SharePoint instances from the internet to mitigate further exposure.
Michael Sikorski of Palo Alto Networks’ Unit 42 issued a stark warning: Any on-premises SharePoint server exposed online should be considered breached until proven otherwise. The scale of the attacks remains unclear, but the potential for widespread damage is significant given SharePoint’s role in enterprise data management.
This incident marks the latest in a series of high-profile cyberattacks targeting Microsoft products. In 2021, state-sponsored hackers exploited vulnerabilities in Microsoft Exchange, compromising tens of thousands of servers globally. More recently, Chinese operatives infiltrated Microsoft’s cloud infrastructure, stealing an email signing key that granted access to sensitive accounts. Russian-linked groups have also repeatedly targeted Microsoft systems, underscoring the persistent threats facing the tech giant’s ecosystem.
For organizations still assessing their risk, CISA’s advisory provides mitigation guidance while awaiting official patches. Those who suspect a breach should prioritize forensic analysis and credential rotation to contain potential damage.
If you have additional details about these attacks or are an affected organization, you can reach out securely via encrypted channels for further discussion.
(Source: TechCrunch)
