By Key Points
- Critical zero-day flaw exposed on-premises Microsoft SharePoint servers
- Hackers gain persistent access even after a reboot or patch
- Government agencies and global firms are already targeted
- Microsoft races to release a patch for SharePoint 2016
Microsoft SharePoint servers are under active attack due to a major zero-day vulnerability that has left thousands of systems exposed.
This serious flaw is currently being exploited by hackers to gain unauthorized access to on-premises SharePoint environments, putting critical infrastructure, sensitive data, and corporate operations at risk.
๐ฅ ALERT โ Microsoft issues urgent security patches for critical SharePoint RCE flaw (CVE-2025-53770), now under active exploitation worldwide.
Hackers are bypassing MFA, stealing keys, and targeting banks, government agencies, hospitals & more.
Details โโฆ pic.twitter.com/MYAMR6D2u2
โ The Hacker News (@TheHackersNews) July 21, 2025
Microsoft confirmed the issue over the weekend, issuing an alert that attackers are already taking advantage of the vulnerability in real-world environments.
The flaw does not affect cloud-hosted SharePoint, which remains secure, but on-premises servers โ still widely used by enterprises and governments โ are highly vulnerable.
Researchers at Eye Security first identified the issue on July 18th, warning that the exploit allows hackers to steal encryption keys used by SharePoint servers.
Once stolen, these keys can be used to impersonate users or services even if the server has been rebooted or patched. In short, if your server was compromised before patching, it might still be breached.
NEW THIS MORNING: Microsoft SharePoint under ‘active exploitation,’ Homeland Security’s CISA says
The Redmond-based company says it released security updates overnight – after hackers exploited security flaw in some widely-used server software.#LiveDesk pic.twitter.com/GPRyN3Ov6p
โ Steve McCarron KOMO (@SteveTVNews) July 21, 2025
โThis is one of the most persistent SharePoint attacks we’ve seen. Even patched servers might still be leaking access,โ said a cybersecurity researcher involved in the case.
Microsoft has since released patches for SharePoint 2019 and SharePoint Subscription Edition, while support teams are rushing to complete a patch for SharePoint 2016, which remains exposed.
For comparison, tech security concerns have also risen in other sectors โ from Apple suing Jon Prosser over iOS 26 leaks to NVIDIA’s restrictions on chip sales to China โ showing that critical tech systems are under increasing scrutiny in 2025.
Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770, and CVE-2025-53771. These vulnerabilities apply to on-premises SharePoint Servers only. Customers should applyโฆ
โ Security Response (@msftsecresponse) July 21, 2025
Wide-scale attacks target governments and global firms
The US Cybersecurity and Infrastructure Security Agency (CISA) is now involved, actively assessing the scope and damage caused by the exploit.
We have reproduced “ToolShell”, the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg to pop SharePoint at #Pwn2Own Berlin 2025, it’s really just one request! Kudos to @mwulftange pic.twitter.com/sPHVVBal3K
โ CODE WHITE GmbH (@codewhitesec) July 14, 2025
Early findings indicate that US federal and state agencies, several universities, energy firms, and a telecom company in Asia have already been attacked.
The Washington Post reported that both public and private sector networks are under threat, citing information from national security officials and independent researchers.
What makes the exploit especially dangerous is that it seems to combine two previously known bugs, demonstrated at the Pwn2Own hacking contest in May. Attackers likely refined these techniques to create an unauthenticated access path to SharePoint servers โ essentially bypassing login requirements entirely.
This gives hackers broad access to a victim’s network, allowing them to move laterally and harvest data from connected Microsoft services like Teams, OneDrive, and Outlook.
CISA has urged organizations to disconnect compromised SharePoint servers from the internet immediately and conduct a full forensic investigation.
๐จ๐บ๐ธ BREAKING: MICROSOFT SHAREPOINT UNDER ACTIVE CYBER ATTACK
Microsoft confirmed hackers are targeting SharePoint servers right now – and the 2016 version is still unpatched.
The vulnerability lets attackers access files and run code across entire networks, even if patches areโฆ https://t.co/xqtwGMiHlK pic.twitter.com/HdPCQlre0d
โ Mario Nawfal (@MarioNawfal) July 21, 2025
Experts warn that even if the initial access vector is patched, stolen credentials and tokens can still be used to maintain access, creating long-term security risks.
In the context of major tech movements, these breaches come at a time when companies like Tesla are preparing for their India launch, emphasizing how digital infrastructure must be secure before expanding globally.
How companies can protect SharePoint servers now
With patches available for some versions but not all, organizations using Microsoft SharePoint servers need to act quickly. Here are key steps recommended by security professionals:
-
Patch immediately: If you are using SharePoint 2019 or the Subscription Edition, apply the patch released by Microsoft without delay.
-
Isolate vulnerable systems: Disconnect any SharePoint 2016 or suspected compromised systems from external access.
-
Reset authentication credentials: Consider rotating credentials, certificates, and tokens that might have been exposed through the attack.
-
Audit logs and behavior: Monitor for unusual activity or lateral movement across Microsoft services linked to SharePoint.
-
Prepare for patch deployment: For those using SharePoint 2016, keep an eye on Microsoftโs updates and be ready to patch once released.
In addition, organizations should revisit their incident response plans and ensure that backup systems are clean and offline until they are verified secure.
While Microsoft works to close the security gap, this breach is a powerful reminder of the risks of relying on legacy or on-premises systems without active monitoring and regular patching. Cybercriminals are getting faster and more efficient โ and every unpatched server is an open invitation.
Meanwhile, the tech world is gearing up for big innovations like the Google Pixel 10 launch this August and Xbox PC game streaming, making strong cybersecurity measures more important than ever in our increasingly connected ecosystem.
With attackers already inside major networks and the vulnerability still partially unpatched, this event is shaping up to be one of the most critical Microsoft security incidents of 2025.
What's your reaction?
