A significant security flaw has been identified in Microsoft’s SharePoint platform, a widely used tool for document management and collaboration. This vulnerability exposes more than 10,000 organizations globally to potential cyberattacks, with a substantial number of these entities based in the United States.
Nature of the Vulnerability
The flaw, designated as CVE-2025-53770, allows unauthorized attackers to execute remote code on affected SharePoint servers. This means that cybercriminals can gain full control over the compromised systems, access sensitive data, and potentially deploy malicious software. The vulnerability specifically impacts on-premises versions of SharePoint Server, including:
– SharePoint Server 2016
– SharePoint Server 2019
– SharePoint Server Subscription Edition
Notably, SharePoint Online, part of Microsoft’s cloud-based services, remains unaffected by this issue.
Scope and Impact
Cybersecurity experts have raised alarms about the extensive reach of this vulnerability. Silas Cutler, a researcher at Censys, estimates that over 10,000 companies with SharePoint servers are at risk, with the highest concentration in the U.S., followed by the Netherlands, the UK, and Canada. The flaw is particularly concerning for sectors that handle sensitive information, such as government agencies, healthcare institutions, and financial organizations.
The National Nuclear Security Administration (NNSA), responsible for managing the U.S. nuclear weapons stockpile, was among the entities breached. While no classified information is reported to have been compromised, the incident underscores the severity of the threat.
Exploitation and Threat Actors
The vulnerability has been actively exploited since at least July 7, 2025. Microsoft has identified that three China-based hacking groups, including two linked to the Chinese government—Linen Typhoon and Violet Typhoon—have been leveraging this flaw to target corporations and government agencies. These groups are known for their focus on espionage and intellectual property theft.
The exploitation involves deploying malicious web shells that extract sensitive cryptographic keys, allowing attackers to maintain persistent access to compromised systems. This method enables them to execute arbitrary commands and exfiltrate data without detection.
Microsoft’s Response and Mitigation Measures
Upon discovering the active exploitation, Microsoft promptly issued security patches for SharePoint Server 2019 and SharePoint Server Subscription Edition. Patches for SharePoint Server 2016 are forthcoming. Organizations are strongly advised to apply these updates immediately to mitigate the risk.
In addition to patching, Microsoft recommends the following actions:
– Enable Antimalware Scan Interface (AMSI): This integration helps detect and block malicious code within SharePoint.
– Deploy Defender Antivirus: Ensure that Defender AV is active on all SharePoint servers to provide real-time protection.
– Rotate ASP.NET Machine Keys: After applying the security updates, it’s crucial to rotate these keys to prevent attackers from using stolen keys to maintain access.
– Implement Endpoint Detection Tools: Utilize tools like Microsoft Defender for Endpoint to monitor and respond to suspicious activities.
For organizations unable to apply patches immediately, it’s recommended to temporarily disconnect vulnerable SharePoint servers from the internet to prevent external attacks. Additionally, IT and security teams should review logs for unusual access patterns that may indicate a breach.
Broader Implications and Recommendations
This incident highlights the critical importance of timely vulnerability management and the need for robust cybersecurity measures. Organizations should:
– Regularly Update Systems: Ensure that all software and systems are up-to-date with the latest security patches.
– Conduct Security Audits: Regular audits can help identify and remediate potential vulnerabilities before they are exploited.
– Educate Employees: Training staff on cybersecurity best practices can reduce the risk of human error leading to breaches.
– Develop Incident Response Plans: Having a clear plan in place ensures a swift and effective response to security incidents.
The exploitation of this SharePoint vulnerability serves as a stark reminder of the evolving cyber threat landscape. Proactive measures and vigilance are essential to safeguard sensitive information and maintain organizational integrity.
