A critical vulnerability in Microsoft's SharePoint Server software has been exploited in a widespread cyberattack, compromising over 400 organizations globally. This breach has affected a diverse range of entities, including government agencies, educational institutions, and corporations, underscoring the pervasive threat posed by such vulnerabilities.

The Vulnerability and Its Exploitation

The flaw, identified as CVE-2025-53770 and CVE-2025-53771, resides in on-premises versions of SharePoint Server. Exploitation of this vulnerability allows attackers to gain unauthorized access to SharePoint servers, enabling them to steal authentication keys, impersonate users or services, and potentially access sensitive data. Notably, this issue does not affect Microsoft's cloud-based SharePoint Online service.

Cybersecurity firm Eye Security reported that the attacks began on July 7, 2025, with multiple waves of exploitation observed. Their analysis revealed that more than 400 systems worldwide exhibited signs of active compromise.

Scope of the Breach

The cyberattack has had a broad impact, affecting various sectors and regions. In the United States, the National Nuclear Security Administration (NNSA), responsible for maintaining the nation's nuclear weapons stockpile, confirmed that a small number of its systems were impacted. Other affected entities include the U.S. Department of Education, Florida's Department of Revenue, and the Rhode Island General Assembly.

Internationally, organizations in countries such as South Africa, Mauritius, Jordan, and the Netherlands have also been compromised. The widespread nature of the attack highlights the global reach and sophistication of the threat actors involved.

Attribution and Threat Actors

Microsoft has attributed the attacks to multiple China-based hacking groups, including Linen Typhoon, Violet Typhoon, and Storm-2603. These groups are believed to be state-sponsored and have a history of conducting cyber espionage campaigns targeting government agencies and critical infrastructure.

The involvement of these groups suggests a coordinated effort to exploit the SharePoint vulnerability for intelligence gathering and potential disruption of critical services.

Microsoft's Response and Mitigation Measures

In response to the active exploitation, Microsoft released emergency patches for SharePoint Server 2019 and the SharePoint Server Subscription Edition. However, as of the latest reports, a patch for SharePoint Server 2016 has not yet been released, leaving some systems vulnerable.

Microsoft has urged organizations to apply the available patches immediately, enable the Antimalware Scan Interface (AMSI), rotate MachineKey data, and monitor systems for indicators of compromise. Additionally, organizations are advised to temporarily remove public exposure of SharePoint servers and isolate affected hosts to prevent further exploitation.

Recommendations for Organizations

Given the severity and scope of the attack, organizations using on-premises SharePoint servers should take the following steps:

  • Apply Security Updates: Ensure that all available patches are applied promptly to mitigate the vulnerability.

  • Rotate Credentials: Change all authentication keys and credentials to prevent unauthorized access.

  • Monitor Systems: Implement continuous monitoring to detect any signs of compromise or unusual activity.

  • Isolate Affected Systems: Disconnect compromised servers from the network to prevent lateral movement by attackers.

  • Engage Cybersecurity Experts: Seek assistance from cybersecurity professionals to assess the extent of the breach and implement remediation measures.

The rapid escalation of this cyberattack underscores the critical importance of timely patching and proactive cybersecurity practices. Organizations must remain vigilant and responsive to emerging threats to safeguard their systems and sensitive data.