Across sectors, a mass cyber-attack, which exploited a zero-day flaw in Microsoft SharePoint Server, has compromised networks. Government agencies, universities and energy suppliers worldwide are being attacked.
Cloud-based SharePoint systems are safe, but on-premises SharePoint 2019 and Subscription Edition servers are in dire danger. This severe exploit has raised much concern regarding cybersecurity.
Researchers have argued that the attack is still ongoing. It is time to urgently patch systems and apply mitigation techniques to stop any further damage.
Mass cyberattack exploiting a SharePoint zero-day hits governments, universities, and energy networks worldwide.
What is the SharePoint zero-day vulnerability?
The zero-day vulnerability, tracked as CVE-2025-53770, is a severe deserialisation bug. The hackers use chained 2-bug exploits known as “ToolShell” against this weakness, elevating the privileges of attackers, stealing authentication tokens, which help forge valid requests and impersonate services inside the networks.
Previously, SharePoint 2016 had this vulnerability unpatched, without a workaround. According to the cybersecurity experts, this forceful remote code execution is without user interaction. This makes it particularly dangerous in enterprise and public circles.
Which organisations have been breached?
Security firm Orange Cyberdefense reports that at least 75 SharePoint servers, across countries, have been penetrated. The targets included U.S. state agencies, European government networks, and Asian telecom companies. Universities and energy-sector companies are also allegedly in the crosshairs.
These attackers, in apparent deep technical expertise and methodical approach in their acts, remain adept at stealth to put it simply. They operate under legitimate credentials that have either been washed or stolen in part during the breach and use legitimate system keys. And so far, according to sources familiar with the matter, there has been no clear attribution made. Whereas analysts believe that the attackers could either be state-sponsored or are the act of an advanced cybercriminal syndicate.
Orange Cyberdefense reports 75 SharePoint servers breached across the US, EU, and Asia in a global cyberattack.
How should affected systems respond?
Emergency patches for SharePoint 2019 and SharePoint Server Subscription Edition were issued by Microsoft on July 17, 2025. Patching is the first critical step. However, the insiders warn if attackers have stolen the cryptographic keys, they will not lose access.
The Australian Cyber Security Centre (ACSC) and the U.S. CISA mirrored the following mitigation recommendations:
- Apply Microsoft’s July 2025 Patch Set immediately.
- NET machine keys should be rotated to stop stolen credentials from being accepted.
- Enable Microsoft Defender Antivirus and make sure it is integrated with AMSI.
- Examine the logs for Indicators of Compromise (IoCs), including unauthorised token use.
- Keep affected servers disconnected from any outside networks until they are secured.
SharePoint 2016 users – not yet patched – stand especially exposed. Therefore, the ACSC has recommended that these companies keep the affected systems isolated from the Internet.
A 0-day flaw in Microsoft SharePoint is being exploited in RCE attacks on servers globally; no patch exists and tens of thousands of servers are at risk (Washington Post)https://t.co/wlyTqhDVlIhttps://t.co/VsfqM59fFvhttps://t.co/ZOzeer2dpR
— Techmeme (@Techmeme) July 20, 2025
How serious is the attack?
Each hacker attack is viewed as one of the worst instances of cyberspace terrorism in 2025. Earlier violations robbed people of their data, but the present operation allows the attackers to keep themselves in trusted systems. The attackers can make orders; they can modify the traffic and view sensitive internal documents.
The attackers bypass authentication through stealing and abusing tokens, thus allowing lateral movement inside the systems. Palo Alto Networks cybersecurity agency warns that this level of compromise, intrusion, or breach can take months to fully resolve.
The objectives of the intruders remain unclear; however, considering the broad target set, i.e., government, education, energy, suggests conduct focused more on either broad surveillance or broad disruption rather than mere monetary gain.
Are SharePoint Online and Microsoft 365 affected?
Microsoft has confirmed that the cloud-based SharePoint Online is unaffected by this attack since this attack targets only the on-premises version, which an organisation hosts and manages internally.
Such a distinction is very important. This largely means that it is only the government and defence-related agencies, which, because of their policies of securing the infrastructure, still feel the need to have it locally hosted. These are being targeted to the greatest extent now.
Organisations running their own SharePoint servers must go into action immediately. Delayed action will harbour undetected needed exposure.
Global security response and investigation
Incident response assistance is being provided currently by the FBI in the United States, the NCSC in the United Kingdom, and CERT in Australia. Microsoft is also assisting the affected enterprises and governments in containment efforts. It is under investigation as a suspected state actor attack.
Such zero days similar to these have preceded severe attacks in the past; for example, the breach of SolarWinds in 2020 and MOVEit in 2023. This newest breach is now viewed on the same scale.
Microsoft will be doing continuous monitoring and will issue updates as soon as they become available. Investigations are currently ongoing in several countries around the globe.
Outlook for organisations and cybersecurity
This breach exposes a core weakness in the software supply chain: legacy systems continue to be used for core infrastructure and are now lightly maintained. This vulnerability, which does not exist in cloud services, remains a critical issue due to its presence in the vital infrastructure.
Cybersecurity professionals stress that this attack demonstrates the need for proactive patching, endpoint detection tools, and encrypted key rotation. Any unpatched SharePoint server is to be considered compromised by organisations until it is proven otherwise.
Security leaders also urge firms to migrate off legacy systems where possible. Microsoft will likely face increasing pressure to, in return, speed up security support and enhance clarity on its on-premises offerings.
Also Read: Iphone17 Colours and Design Revealed for 2026
Immediate Action Needed to Contain the Global Threat
This is the comeback moment in the enterprise cybersecurity realm—a zero-day vulnerability being exploited in SharePoint Server. At least 75 confirmed breaches, plus an unknown number of others, present the possibility that assessing the total gamut of damages may take months. So, patching the systems, rotating the keys, and blocking the intrusions is an immediate call to action.
