A critical vulnerability in Microsoft SharePoint Server is being actively exploited by hackers, putting thousands of organizations at immediate risk. The zero-day flaw, tracked as CVE-2025-53770, has already been used to breach government agencies, universities, and energy companies across multiple continents.
Microsoft SharePoint Server contains a critical security flaw that allows attackers to gain unauthorized access to sensitive systems. The vulnerability affects all on-premises SharePoint installations, while cloud-hosted Microsoft 365 versions remain unaffected. Attackers can weaponize this vulnerability to:
The sophistication of these attacks suggests this isn't opportunistic hacking and threat actors are using the SharePoint servers as an initial foothold to then move laterally through networks, compromising systems such as email to sensitive document repositories.
The impact spans across multiple sectors to include government agencies, universities, energy companies, and telco providers having reported confirmed breaches. The targeting appears strategic rather than random.
Security researchers estimate tens of thousands of on-premises SharePoint servers remain vulnerable. If your organization runs SharePoint on its own infrastructure, you need to assume you're being targeted.
Attack Details & Indicators
Security teams have observed attackers exploiting this vulnerability with speed, once gaining initial access through SharePoint, attackers immediately establish persistence by compromising email systems, accessing MS Teams data, and document repositories. Their focus appears to be credential theft, as every compromised credential provides another entry point into your network.
Key indicators to monitor include unusual SharePoint process activity, unexplained new administrator accounts, and large-scale unauthorized data transfers. Microsoft's has documented guidance here that security teams should be on the lookout for. As well, CISA has their guidance here.
With the speed at which attackers are moving and exploiting this vulnerability, organizations need to move into immediate action.
Your first priority must be updating your SharePoint servers and apply the July 2025 Security Update immediately. Consider this an emergency change.
In addition to patching, you should take this as an opportunity to harden your environment against both current and future attacks:
If you're using Group Managed Service Account (gMSA), pay special attention to ensuring these service credentials cannot be used for interactive logins. Attackers are specifically targeting these accounts because they often have elevated privileges across multiple systems.
The credential rotation piece deserves special emphasis. It's not enough to just change passwords. You need to audit where these credentials are used, what systems they can access, and whether any service accounts have permissions beyond what they absolutely need. This is also an excellent time to implement the principle of least privilege if you haven't already.
While attribution remains unconfirmed, a low confidence targeting pattern suggests either state-sponsored actors or well-resourced criminal groups. Attackers aren't looking for a quick payout. They're establishing foot holds for long-term intelligence gathering, which means they could already be deep in networks that appear uncompromised. The geopolitical timing of these attacks suggests this may be part of a larger strategic campaign.
This incident reinforces critical security lessons. Organizations relying on on-premises SharePoint need to reconsider their infrastructure strategy, as cloud-hosted versions remained unaffected by this attack. It also highlights that patch management can't be treated as optional, and defense-in-depth strategies are essential. A single vulnerability led to complete compromise for some organizations, while those with layered security detected attacks early. If this incident exposed gaps in your incident response capabilities or security architecture, address them now before the next zero-day emerges.
If your organization needs assistance evaluating your SharePoint security posture or responding to potential compromise, the vulnerability management experts at Kustos are ready to help. Contact our team at sales@kustos.com if you suspect your systems may be affected or if you need expert guidance implementing the security measures outlined above.
Schedule a consultation with us today and take the first step towards securing your digital future.