A significant security flaw in Microsoft’s SharePoint server software has been exploited by cyber attackers, leading to breaches in at least 400 organizations worldwide. This vulnerability, identified as CVE-2025-53770, allows unauthorized remote code execution on affected servers, granting attackers access to sensitive data and the potential to infiltrate broader network systems.
Discovery and Initial Exploitation
The vulnerability was first detected by Eye Security, a Dutch cybersecurity firm, which observed a sharp increase in compromised SharePoint servers. Initial reports indicated dozens of affected servers, but this number has escalated to over 400 as more organizations assess their systems. Notably, the National Nuclear Security Administration (NNSA), responsible for the U.S. nuclear weapons stockpile, was among the compromised entities. Other government departments and agencies have also reported breaches, with evidence suggesting that exploitation began as early as July 7, 2025.
Technical Details of the Vulnerability
CVE-2025-53770 is a zero-day vulnerability affecting self-hosted versions of Microsoft SharePoint. When exploited, it enables attackers to execute arbitrary code remotely, providing them with unauthorized access to stored files and the ability to move laterally within the organization’s network. This flaw does not impact SharePoint Online services within Microsoft 365, focusing instead on on-premises deployments.
Response and Mitigation Efforts
Upon discovery, Microsoft released patches for all affected SharePoint versions to address the vulnerability. Organizations are urged to apply these updates promptly to mitigate the risk of exploitation. Additionally, Microsoft recommends configuring the Windows Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender Antivirus or other endpoint detection and response (EDR) solutions. In cases where immediate patching is not feasible, disconnecting SharePoint servers from the internet is advised until mitigations can be implemented.
Attribution and Ongoing Threats
Both Microsoft and Google have attributed the exploitation of this vulnerability to several China-backed hacking groups, including Linen Typhoon and Violet Typhoon. These groups are known for their focus on cyber espionage and intellectual property theft. The Chinese government has denied involvement in these attacks. Cybersecurity experts warn that, despite the release of patches, organizations that have already been compromised may remain vulnerable if attackers have established persistent access through stolen credentials or implanted backdoors.
Global Impact and Sectoral Vulnerabilities
The breach has had a widespread impact, affecting organizations across various sectors, including government agencies, educational institutions, healthcare providers, and energy companies. In the United States, federal and state entities, universities, and energy companies have reported incidents. Internationally, governments in Europe and the Middle East have also been targeted. The UK’s National Cyber Security Centre (NCSC) reported a limited number of UK companies being compromised, emphasizing the global reach of this cyber-espionage campaign.
Recommendations for Organizations
Organizations utilizing on-premises SharePoint servers are advised to:
1. Apply Security Updates: Ensure that all SharePoint servers are updated with the latest patches provided by Microsoft.
2. Implement Security Configurations: Configure AMSI integration and deploy robust antivirus and EDR solutions to detect and prevent malicious activities.
3. Monitor for Indicators of Compromise (IoCs): Regularly review system logs and network traffic for signs of unauthorized access or unusual behavior.
4. Rotate Credentials: Change all potentially compromised credentials, including machine keys and administrative passwords, to prevent unauthorized re-entry.
5. Engage Cybersecurity Experts: If a breach is suspected, involve cybersecurity professionals to conduct thorough incident response and remediation efforts.
Conclusion
The exploitation of the CVE-2025-53770 vulnerability in Microsoft SharePoint underscores the critical importance of timely software updates and robust cybersecurity practices. Organizations must remain vigilant, apply necessary patches, and implement comprehensive security measures to protect against evolving cyber threats.
