In Short
- Zero-day SharePoint flaw exploited in global cyberattack
- Two versions of SharePoint patched, one yet to be fixed
- Hackers may retain access even after patching
A newly discovered vulnerability in Microsoft SharePoint has led to a widespread cyberattack, compromising servers across government agencies, businesses, and universities around the world. The so-called “zero-day” exploit, which targets a previously unknown flaw, has affected tens of thousands of on-premise SharePoint servers, prompting urgent security alerts and investigations in multiple countries. Microsoft confirmed the breach in a security advisory released on Saturday, warning of “active attacks” and urging immediate implementation of protective measures. “This is a significant vulnerability,” said Adam Meyers, senior vice president at cybersecurity firm CrowdStrike. “Anybody who’s got a hosted SharePoint server has got a problem.”
While Microsoft has released a patch for two version of the software, fixes for one version, SharePoint 2016, is still being developed.
Microsoft has released a security patch for SharePoint Subscription Edition and SharePoint 2019, following active exploitation of a critical vulnerability, tracked as CVE-2025-53770, in on-premises servers. The tech giant confirmed the flaw is currently being targeted in the wild and is urging customers to apply the update immediately.
The vulnerability does not affect SharePoint Online, Microsoft said in a tweet via its Security Response Center (MSRC) handle on Sunday. However, on-premises servers remain at risk, especially those running Subscription Edition.
“We are actively working on updates for SharePoint 2016 and 2019,” Microsoft added, indicating those versions remain unpatched for now. The company has also provided detection guidance and mitigation steps for defenders, available through its official blog.
The breach does not affect SharePoint Online users within Microsoft 365’s cloud environment. Instead, it targets internal servers hosted within organisations — commonly used by government bodies and large enterprises for document sharing and collaboration.
According to The Washington Post, which first reported the incident, the hackers managed to exploit the flaw in recent days, gaining access to US federal and state agencies, European governments, energy firms, a university in Brazil, and an Asian telecommunications company. In some cases, attackers even “hijacked” public document repositories, blocking officials from accessing them.
Reportedly, the vulnerability allows for a type of spoofing attack, where an intruder can disguise themselves as a trusted source. With access to SharePoint servers, which is often connected to services like Outlook and Teams, hackers can steal sensitive data, harvest passwords, and potentially maintain long-term access using cryptographic keys.
What’s especially concerning, according to reports, is that the attackers have obtained access keys that could allow them to return even after the systems are patched. “So pushing out a patch on Monday or Tuesday doesn’t help anybody who’s been compromised in the past 72 hours,” one security researcher told The Washington Post.
No technical details of the exploit chain have been disclosed publicly yet, but Microsoft’s confirmation of active attacks suggests that the vulnerability may be part of a targeted campaign. The company’s advisory underscores the urgency of applying the fix, especially for enterprise systems that rely on SharePoint for collaboration and content management. Microsoft is expected to release patches for SharePoint 2016 and 2019 soon, but until then, system administrators are advised to monitor for unusual activity and follow the detection steps outlined in Microsoft’s guidance.
