It started quiet. Then it spread. A zero-day flaw buried inside Microsoft’s SharePoint server software has been exploited in a sweeping cyberattack. The breach began July 18. It’s now confirmed that federal agencies, universities, energy firms, and banks have been compromised. The flaw allows remote code execution. No login needed. No warning. No patch for SharePoint 2016. Microsoft says users should unplug servers from the internet.
The attack only affects on-premise SharePoint setups. Cloud-based systems like Microsoft 365 are untouched. But tens of thousands of organizations still run local servers. That includes state legislatures, European ministries, and telecom firms in Asia. Eye Security found 85 compromised servers across 29 institutions. The exploit chain is being called ToolShell. It lets hackers steal machine keys, impersonate users, and move laterally across networks.
Microsoft released emergency patches for SharePoint Server 2019 and the Subscription Edition. CVE-2025-53770 scored 9.8 on CVSS. That’s critical. CVE-2025-53771 adds spoofing risk. Both flaws allow attackers to bypass identity protections like MFA and SSO. Once inside, they can access Outlook, Teams, OneDrive, and internal file systems. The FBI and CISA are investigating. Canada and Australia joined the probe.
The vulnerability stems from how SharePoint deserializes untrusted data. Attackers can inject payloads before authentication. They use PowerShell to drop ASPX files, steal cryptographic keys, and forge __VIEWSTATE tokens. That lets them execute commands as trusted users. Even patched servers remain vulnerable unless keys are rotated and IIS is restarted. Microsoft says AMSI must be enabled. If not, disconnect the server.
CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog on July 20. Federal agencies must remediate by July 21. But private firms are on their own. Microsoft’s guidance says to apply updates, rotate keys, and deploy Defender for Endpoint. SharePoint Server 2016 users are still waiting. No fix yet. No timeline.
The breach is ongoing. The attackers haven’t been identified. But the tradecraft is consistent. Experts say it’s likely a single actor. The campaign is still active. Data theft, password harvesting, and lateral movement are confirmed. The blast radius is growing.
Microsoft’s stock held flat on July 21. But the reputational hit is real. This is the third major breach in four years. Exchange Server in 2021. Midnight Blizzard in 2024. Now SharePoint. The flaw was discovered by Eye Security and reported through Trend Micro’s Zero Day Initiative. Microsoft acknowledged the issue July 19. The exploit was already live.
If your organization runs SharePoint locally, assume compromise. Disconnect. Patch. Rotate keys. Monitor logs. The attackers are inside. And they’re not done.
Sources
https://techcrunch.com/2025/07/21/new-zero-day-bug-in-microsoft-sharepoint-under-widespread-attack/
https://thehackernews.com/2025/07/critical-microsoft-sharepoint-flaw.html
