Software giant Microsoft issued an alert over the weekend stating that its SharePoint servers, used by government agencies and businesses to share documents within an organization, had been targeted in a cyberattack. The company issued recommended security updates that should be applied immediately.
“Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update,” the company said in a post. Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770 and CVE-2025-53771. Customers should apply these updates immediately to ensure they’re protected.”
The FBI also acknowledged it was aware of the attacks and was working with federal and private-sector partners.
This was considered a “zero-day exploit,” as it took advantage of the previously unknown software/hardware vulnerability, meaning that Microsoft had zero days to develop a fix or patch.
“We’ve been coordinating closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners globally throughout our response,” a Microsoft spokesperson said in a media statement.
SharePoint in the Crosshairs
SharePoint is Microsoft’s web-based collaboration and document platform that enables organizations to store, organize, share, and access information, including documents, files, and other content, from any device with a web browser.
It acts as a central hub for content management and teamwork within an organization.
The recent vulnerability reportedly only affected the SharePoint services used within an organization, but not SharePoint Online, the cloud-based component of Microsoft. Engineers updated the guidance on Sunday with instructions to address the issue with SharePoint Server 2019 and SharePoint Server Subscription Edition. Efforts are still underway to address the older SharePoint Server 2016 software.
“In a matter of days, this SharePoint exploit has proven extremely serious, effectively handing attackers the keys to an organization’s collaboration platform and allowing them to break in without any credentials,” warned Ensar Seker, CSO at threat intel cybersecurity company SOCRadar.
Seker told ClearanceJobs that the vulnerability was already being used in widespread attacks on businesses and government agencies.
“This zero-day flaw lets hackers plant malware and steal data at will,” Seker continued. “Such rapid, large-scale exploitation suggests a competent, well-resourced adversary, potentially even state-sponsored. Now that the vulnerability and its fix are public, organizations must patch their on-prem SharePoint servers immediately and assume any unpatched instance is already compromised. At the same time, they should hunt for signs of intrusion, monitor network traffic for anomalies, and keep incident response teams on high alert to contain any fallout.”
Organizations Should Take Mitigation Steps
Beyond following Microsoft’s recommendations, security experts advise taking additional measures, especially since cyber threats may already be lurking on servers.
“To avoid unnecessary data loss, potential business interruptions, and reputational damage to their brand, CISOs need to review their exposure and the various mitigation steps they can take,” said James McQuiggan, security awareness advocate at KnowBe4.
“As this is an unpatched vulnerability with confirmed attacks in progress, the real-world exploitation has already started, which raises the urgency. Organizations need to take immediate mitigation steps to reduce the risk of a data breach by cybercriminals and attackers,” McQuiggan told ClearanceJobs.
McQuiggan offered the following mitigation steps:
- Evaluate the business impact of downtime versus the risk of compromise.
- Limit access to essential users only, and over VPN.
- Utilize the security operations team to increase monitoring of SharePoint for signs of suspicious activity.
- Work with cybersecurity vendors to determine if they’ve identified IOCs of the type of attack.
- Worst case scenario: Isolate the SharePoint server from the internet or temporarily take it offline.”
“While this vulnerability only impacts SharePoint systems on-prem, if an organization’s SharePoint is exposed to the internet, the risk is significantly higher,” he added. “There’s still a risk if it’s inside the network, as it might have a slower impact, and if attackers are already inside the network, they can target SharePoint to gain access to data and other sensitive information.”
