New zero-day bug in Microsoft SharePoint under widespread attack

A newly identified security vulnerability in Microsoft SharePoint is currently being exploited by hackers, prompting urgent warnings from U.S. cybersecurity officials and researchers. The Cybersecurity and Infrastructure Security Agency (CISA) issued a notice this weekend highlighting the active exploitation of this flaw, leaving a significant number of global customers vulnerable in its wake. The vulnerability, designated as CVE-2025-53771, impacts versions of SharePoint that organizations operate on their own servers. SharePoint is a widely used platform for storing, sharing, and managing internal documents. Microsoft is aware of the issue and is reportedly working on security updates; however, many users remain defenseless against ongoing attacks due to the absence of patches. Described as a “zero day” vulnerability, it was reported without prior notice to Microsoft, affecting SharePoint Server versions as far back as 2016. The scale of the compromise is still being assessed, but it is believed that thousands of small to medium-sized businesses are at risk. Reports indicate that several U.S. federal agencies, educational institutions, and energy companies have already experienced breaches linked to these attacks. Eye Security, the firm that first brought the vulnerability to light, noted that dozens of compromised SharePoint servers were actively being exploited. The flaw allows hackers to extract sensitive digital keys from SharePoint servers without needing login credentials. This breach can lead to the remote installation of malware and unauthorized access to critical data stored within the systems. The situation is further complicated by SharePoint’s connectivity with other applications such as Outlook, Teams, and OneDrive, potentially increasing the risk of wider network breaches and data theft. Eye Security has advised affected users to not only patch the vulnerability but also to rotate their digital keys to mitigate the risk of further exploitation. CISA and industry experts are recommending immediate action for organizations at risk. In the absence of available patches, disconnecting vulnerable systems from the internet may be a necessary measure. Michael Sikorski, head of Unit 42 at Palo Alto Networks, emphasized that any organization with on-premise SharePoint exposed to the internet should assume they have already been compromised. While the identity of the attackers remains unknown, this incident highlights a troubling trend of cyberattacks targeting Microsoft users. Previous attacks have included a significant breach of Microsoft Exchange servers by a group linked to China, affecting over 60,000 servers, and a cyberattack on Microsoft’s cloud systems that allowed access to sensitive email signing keys. The ongoing vulnerabilities underscore the pressing need for organizations to bolster their cybersecurity measures and respond swiftly to emerging threats.