Microsoft SharePoint Zero-Day Hack Impacts 100 Organizations Globally

A major zero-day vulnerability in Microsoft SharePoint server software has triggered a widespread cyberattack, compromising around 100 organizations worldwide, according to Eye Security and the Shadowserver Foundation. The exploited vulnerability, tracked as CVE-2025-53770, allows attackers to remotely execute code by uploading malicious ASPX web shells, letting them seize control of affected servers.

Attacks began escalating around July 18, 2025, targeting government agencies, energy providers, healthcare institutions, universities, and private businesses. Among the confirmed victims are the U.S. Department of Education, Florida Department of Revenue, Rhode Island General Assembly, as well as organizations across Europe and Asia. The Washington Post and Reuters report.

Researchers estimate more than 8,000 SharePoint servers may be exposed globally. The attack not only enables unauthorized access but also allows the theft of cryptographic keys, giving attackers persistent entry even after initial security patches are applied. As noted by Eye Security, this persistence is particularly concerning due to the deep integration of SharePoint with other Microsoft products such as Outlook, Teams, and OneDrive, risking further internal compromise.

Google’s Mandiant unit attributed the operation to a “China-nexus threat actor,” based on consistent attack methods found across victimized organizations. The campaign began with high-value targets before spreading opportunistically to other vulnerable servers.

Microsoft responded with emergency patches for SharePoint Subscription Edition and SharePoint 2019, but earlier SharePoint versions remain unpatched, significantly increasing risk for organizations using legacy infrastructure. The company clarified that SharePoint Online, part of Microsoft 365, is unaffected by the exploit.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), together with Microsoft, is actively coordinating incident response, urging organizations to apply patches, rotate all cryptographic keys, and conduct comprehensive breach investigations. Experts stress that patching alone offers insufficient protection due to the risk of credential theft and lateral movement.

The incident highlights the ongoing vulnerabilities in self-hosted enterprise software and the evolving skill of sophisticated, state-linked threat actors. As of July 22, 2025, investigations continue and the full scope of the breach is still being determined.