A critical vulnerability recently discovered in Microsoft SharePoint is being actively exploited, prompting urgent alerts from the U.S. government and cybersecurity experts.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning over the weekend confirming that malicious actors are targeting this unpatched flaw. Microsoft has yet to release security updates for all impacted versions of SharePoint, leaving many organizations vulnerable to ongoing breaches.

Identified as CVE-2025-53770, this zero-day vulnerability affects on-premises deployments of SharePoint—commonly used by organizations to store, collaborate, and manage internal documentation. Microsoft acknowledged the issue and is currently developing security patches to address the threat.

Because the vulnerability was discovered and weaponized before Microsoft had an opportunity to fix it, it qualifies as a “zero-day” bug. Systems as far back as SharePoint Server 2016 are believed to be affected.

While the full scope of the compromise remains unknown, thousands of small and medium-sized businesses may already be impacted. Reports from The Washington Post indicate that several U.S. federal agencies, universities, and energy sector companies have also suffered breaches.

The initial discovery of the flaw came from Eye Security, which reported finding numerous compromised SharePoint servers online. The exploit allows attackers to extract sensitive digital certificates from vulnerable SharePoint installations without authentication. With access to these keys, attackers can remotely deploy malware, access internal data, and potentially extend their reach across connected Microsoft services, including Outlook, Teams, and OneDrive.

Eye Security warned that simply patching the system is not enough. Organizations must also revoke and regenerate compromised digital keys to prevent future unauthorized access.

Both CISA and Eye Security urge organizations to act immediately, emphasizing that companies unable to patch should consider disconnecting on-prem SharePoint systems from the internet until remediation is possible.

“If you have internet-exposed on-prem SharePoint servers, you should now assume compromise,” said Michael Sikorski, head of Unit 42, the threat intelligence arm of Palo Alto Networks.

At this stage, the threat actor behind these attacks remains unidentified. However, this incident follows a series of cyber intrusions targeting Microsoft technologies in recent years.

Notably, in 2021, the Hafnium group, linked to the Chinese government, exploited vulnerabilities in Microsoft Exchange servers, compromising over 60,000 systems globally. And in 2023, Chinese hackers breached Microsoft’s own cloud infrastructure, stealing an email-signing key that allowed unauthorized access to both enterprise and consumer email accounts.

Microsoft has also reported ongoing cyber activities tied to Russian state-sponsored actors, further underscoring the persistent threats facing the company’s ecosystem.

If you are a SharePoint user or suspect your infrastructure may have been impacted, immediate incident response and security hardening are strongly recommended.

Source: https://techcrunch.com/2025/07/21/new-zero-day-bug-in-microsoft-sharepoint-under-widespread-attack/