In a rapidly unfolding cybersecurity crisis, Microsoft has issued an urgent warning about a zero-day vulnerability actively exploited in on-premises versions of its SharePoint software. This vulnerability, which has already been leveraged in attacks targeting a swath of organizations worldwide, poses a significant threat to both government agencies and private businesses relying on SharePoint for internal file sharing and workflow management.
Microsoft’s alert, published on July 20, 2025, highlights that the software flaw allows unauthenticated attackers to gain full access to SharePoint content, including sensitive file systems and internal configurations, while also enabling remote code execution across affected networks. Crucially, the vulnerability does not impact SharePoint Online users within Microsoft 365, which remains secure from these ongoing attacks.
The Federal Bureau of Investigation (FBI) confirmed on the same day that it is aware of these active cyberattacks and is collaborating closely with federal and private-sector partners to address the threat. However, the agency has refrained from releasing further details about the scope or specific victims of the breaches.
Echoing Microsoft’s concerns, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a statement underscoring the risk to organizations globally. CISA warned that attackers exploiting this vulnerability could execute unauthorized actions that compromise entire SharePoint servers, severely jeopardizing the confidentiality and integrity of organizational data.
International cybersecurity bodies, including New Zealand’s National Cyber Security Centre and Australia’s Australian Cyber Security Centre, are also assessing the potential impact on their respective government systems and critical infrastructure, reflecting the global nature of the threat.
Adding to the gravity of the situation, Charles Carmakal, chief technology officer at Google Cloud’s Mandiant Consulting, revealed on July 21 that a China-backed hacking group is among the perpetrators exploiting this vulnerability. Carmakal noted, however, that multiple threat actors have been observed targeting SharePoint servers, indicating a coordinated and widespread campaign.
The Washington Post first reported that the attacks have already breached U.S. federal and state agencies, universities, energy companies, and an Asian telecommunications firm. Meanwhile, cybersecurity researchers at Palo Alto Networks disclosed that hackers have been stealing cryptographic machine keys, which enable persistent access to compromised systems, making remediation efforts more challenging.
Google’s security team also observed attackers installing webshells — malicious scripts that provide remote control over compromised servers — and exfiltrating cryptographic secrets from victim machines. These actions allow hackers to maintain long-term footholds within targeted networks and escalate their attacks.
Microsoft has responded swiftly by releasing security updates for affected SharePoint versions and urging organizations to apply these patches immediately. For those unable to implement the recommended malware protections promptly, Microsoft advises disconnecting SharePoint servers from the internet to curb further exploitation.
Cybersecurity firm Eye has gone further, recommending that organizations shut down vulnerable SharePoint servers entirely to prevent attackers from maintaining persistence. The firm cautioned that merely blocking access via firewalls may not suffice, as attackers could have already established backdoors within systems. Eye also stressed the importance of renewing all credentials and system secrets potentially exposed during the attacks and engaging incident response teams without delay.
This incident highlights the continued vulnerability of widely used enterprise software to sophisticated cyber threats. Microsoft, which has been rolling out its Secure Future Initiative to bolster product security following previous high-profile breaches, is still developing additional patches to protect organizations that have yet to be compromised.
The U.S. government and Microsoft are actively investigating the full extent of these intrusions and the identities of all threat actors involved. Experts caution that it may take weeks or even months to fully understand the scope and impact of the attacks.
As tens of thousands of SharePoint servers worldwide remain at risk, organizations using on-premises versions of the software face an urgent imperative to review access logs, especially if remote administrative tools were enabled, and to implement all recommended security measures without delay.
With the cyber threat landscape growing increasingly complex and state-sponsored groups among the attackers, this episode serves as a stark reminder of the critical importance of vigilant cybersecurity practices and rapid response capabilities in protecting vital digital infrastructure.
