CIOTech Outlook Team | Monday, 21 July 2025, 09:11 IST
Microsoft has issued an urgent warning, stating that state-sponsored attackers are actively launching cyberattacks against on-premise SharePoint servers following the discovery of a zero-day vulnerability—CVE 2025 53770. This vulnerability is being exploited against on-premise SharePoint servers deployed across many environments including governments, multi-national corporations, universities, and energy companies. The breach does not affect SharePoint Online in the cloud.
This vulnerability allows attackers to carry out network-level spoofing and has the expected potential for remote code execution, which could give malicious actors access to sensitive information, data, or to be able to conduct administrative action. Investigators have already observed successful compromise of at least 75 Sharepoint servers worldwide.
Also Read: Microsoft Cuts 15,000 Jobs, Urges Staff to Upskill in AI
Microsoft has issued a patch for the Subscription Edition, although servers deployed with the 2016 and 2019 remain vulnerable while the patch update occurs. Microsoft recommends the organizations in question apply updates immediately, or isolate at-risk servers from the internet if they cannot enable mitigation measures.
The U.S. FBI, CISA, the Defense Cyber Command, and others, began working with Microsoft to respond. The U.S. cybersecurity agencies are continuing investigations into this incident and although tremendous effort has already been made to mitigate this breach, there are still concerns given the ability of attackers to be able to leverage stolen cryptographic keys which can maintain access to compromised systems even after remediated, patched, etc.
This incident also contains parallels to other incidents, for example, Microsoft compromising of their cloud services and breaches of government email respectively. Organizations are cautioned to immediately review their on-prem SharePoint systems to ensure there is not backdoor access to their systems (especially unauthorized proxy access) and work with the appropriate authorities in cybersecurity as investigations continue.
