The U.S. federal government and cybersecurity researchers say a newly discovered security bug found in Microsoft’s SharePoint is under attack.
U.S. cybersecurity agency CISA sounded the alarm this weekend that hackers were actively exploiting the bug. Microsoft has not yet provided patches for all affected SharePoint versions, leaving customers across the world largely unable to defend against the ongoing intrusions.
Microsoft said the bug, known officially as CVE-2025-53771, affects versions of SharePoint that companies set up and manage on their own servers. SharePoint lets companies store, share and manage their internal files.
Microsoft said it is working on security fixes to prevent hackers from exploiting the vulnerability. The flaw, described as a “zero day” because the vendor was given no time to patch the bug before it was made aware of it, affects versions of the software as old as SharePoint Server 2016.
It’s not known yet how many servers have been compromised so far, but it is likely thousands of small to medium-sized businesses that rely on the software are affected. According to The Washington Post, several U.S. federal agencies, universities, and energy companies have already been breached in the attacks.
Eye Security, which first revealed the bug on Saturday, said it found “dozens” of actively exploited Microsoft SharePoint servers online at the time of its publication. The bug, when exploited, allows hackers to steal private digital keys from SharePoint servers without needing any credentials to log in. Once in, the hackers can remotely plant malware, and gain access to the files and data stored within. Eye Security warned that SharePoint connects with other apps, like Outlook, Teams, and OneDrive, which may enable further network compromise and data theft.
Eye Security said because the bug involves the theft of digital keys that can be used to impersonate legitimate requests on the server, affected customers must both patch the bug and take additional steps to rotate their digital keys to prevent the hackers from re-compromising the server.
CISA and others have urged customers to “take immediate recommended action.” In absence of patches or mitigations, customers should consider disconnecting potentially affected systems from the internet.
“If you have SharePoint [on-premise] exposed to the internet, you should assume that you have been compromised at this point,” said Michael Sikorski, the head of Palo Alto Networks’ threat intelligence division Unit 42, in an email to TechCrunch.
It’s also not yet known who is carrying out the attacks on SharePoint servers, but it is the latest in a string of cyberattacks targeting Microsoft customers in recent years.
In 2021, a China-backed hacking group dubbed Hafnium was caught exploiting a vulnerability found in self-hosted Microsoft Exchange email servers, allowing the mass-hacking and exfiltration of email and contacts data from businesses around the world. The hackers compromised more than 60,000 servers, according to a recent Justice Department indictment accusing two Chinese nationals of masterminding the operation.
Two years later, Microsoft confirmed a cyberattack on its cloud systems, which it manages directly, allowing Chinese hackers to steal a sensitive email signing key that permitted access to both consumer and enterprise email email accounts hosted by the company.
Microsoft has also reported repeated intrusions from hackers associated with the Russian government.
Do you know more about the SharePoint cyberattacks? Are you an affected customer? Securely contact this reporter via encrypted message at zackwhittaker.1337 on Signal.
