Hackers are exploiting Microsoft SharePoint flaw to hit targets worldwide

‘One of the most severe server-level breaches in recent memory’

A global cyberattack is unfolding as hackers exploit a critical zero-day vulnerability in Microsoft's SharePoint software, threatening tens of thousands of on-premises servers used by businesses, governments, and institutions worldwide.

On Saturday, Microsoft issued an emergency alert acknowledging that it is aware of "active attacks" targeting the vulnerability, designated CVE-2025-53770, and that a patch is in progress.

The zero-day exploit affects on-premises versions of SharePoint, widely used for internal document management, while Microsoft's cloud-based services, including Microsoft 365, have not been impacted by the vulnerability.

The US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that hackers have been able to gain unauthorised remote access to vulnerable systems using the exploit.

"CISA is aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorised access to on-premise SharePoint servers," the agency said.

"While the scope and impact continue to be assessed, the new Common Vulnerabilities and Exposures (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organisations. This exploitation activity, publicly reported as "ToolShell," provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network."

Making the situation more dire, reports suggest that attackers have obtained cryptographic keys used for server authentication, potentially allowing them to maintain persistent access even after system updates are applied.

Global impact

The intrusions have spanned continents, prompting coordinated investigations and emergency responses by authorities in the US, Canada and Australia.

At least 50 confirmed breaches have been documented by Dutch cybersecurity firm Eye Security, which first discovered the exploit.

Targets include: US federal and state government agencies, European government offices, educational institutions, energy companies and private enterprises worldwide.

One US state official from the eastern region, speaking on condition of anonymity, told the Washington Post that hackers had "hijacked" a public-facing repository of government documents designed to help citizens understand local policies.

"We will need to make these documents available again in a different repository," the official said, adding that the agency itself no longer has access to the material.

Microsoft has released patches for SharePoint Server 2019 and its Subscription Edition, but SharePoint 2016 and older versions remain vulnerable, leaving many organisations exposed and waiting for updates.

In many cases, breached SharePoint servers are deeply integrated with other Microsoft services such as Outlook, Teams and OneDrive, increasing the likelihood of data theft, password harvesting and broader system compromise.

Some European governmental bodies have reported temporary disruptions to public document access, while multiple universities and energy companies are scrambling to assess the scope of the breach.

The FBI released a statement acknowledging the incident: "We are working closely with our federal government and private sector partners to assess and respond to this serious cybersecurity threat."

Unknown motivations and origins

While it remains unclear who is behind the attack or their ultimate objectives, evidence suggests the campaign has targeted entities across North America, Europe and parts of Asia, including servers in China and a US state legislature.

One private research company reported that an unnamed large-state energy provider was among the compromised organisations. Meanwhile, several European government agencies are also believed to have been infiltrated.

Cybersecurity experts are calling this incident one of the most severe server-level breaches in recent memory, urging administrators to apply available patches immediately, verify credentials and prepare for potential long-term remediation efforts.

"Right now, anyone with an externally facing SharePoint on-premises server is at risk regardless of what industry they are part of. If possible, organisations should restrict access to any externally available vulnerable SharePoint server," Thomas Richards, infrastructure security practice director at Black Duck, said.

"Security teams should also add end-point protection software to their SharePoint servers and review system logs for evidence of a compromise as documented by the researchers. Software security is a very difficult problem for organisations to solve. Large codebases which consist of legacy code increase that challenge as the original software wasn't written with modern secure code guidance. Introducing a fix can sometimes have other implications if the original vulnerability isn't fully resolved."