The hackers behind the initial wave of attacks exploiting a zero-day in Microsoft SharePoint servers have so far primarily targeted government organizations, according to researchers as well as news reports.
Over the weekend U.S. cybersecurity agency CISA published an alert, warning that hackers were exploiting a previously unknown bug — known as a “zero-day” — in Microsoft’s enterprise data management product SharePoint. While it’s still early to draw definitive conclusions, it appears that the hackers who first started abusing this flaw were targeting government organizations, according to Silas Cutler, the principal researcher at Censys, a cybersecurity firm that monitors hacking activities on the internet.
“It looks like initial exploitation was against a narrow set of targets,” Cutler told TechCrunch. “Likely government related.”
“This is a fairly rapidly evolving case. Initial exploitation of this vulnerability was likely fairly limited in terms of targeting, but as more attackers learn to replicate exploitation, we will likely see breaches as a result of this incident,” said Cutler.
Contact Us
Do you have more information about these SharePoint attacks? We’d love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.
Now that the vulnerability is out there, and still not fully patched by Microsoft, it’s possible other hackers that are not necessarily working for a government will join in and start abusing it, Cutler said.
Cutler added that he and his colleagues are seeing between 9,000 and 10,000 vulnerable SharePoint instances accessible from the internet, but that could change. Eye Security, which first published the existence of the bug, reported seeing a similar number, saying its researchers scanned more than 8,000 SharePoint servers worldwide and found evidence of dozens of compromised servers.
Given the limited number of targets and the types of targets at the beginning of the campaign, Cutler explained, it is likely that the hackers were part of a government group, commonly known as an advanced persistent threat.
Techcrunch event
San Francisco
|
October 27-29, 2025
The Washington Post reported on Sunday that the attacks targeted U.S. federal and state agencies, as well as universities and energy companies, among other commercial targets.
Microsoft said in a blog post that the vulnerability only affects versions of SharePoint that are installed on local networks, and not the cloud versions, which means that each organization that deploys a SharePoint server needs to apply the patch, or disconnect it from the internet.
