Thursday, June 4, 2026
Latest:
News

Zero-day assault on Microsoft SharePoint places global organisations in the cross-hairs

seanhackacademy

A newly discovered pair of zero-day flaws in on-premises versions of Microsoft SharePoint has triggered an international scramble to patch servers, isolate networks and hunt for intruders. Security researchers say the campaign has already breached government departments, universities, energy companies and telecom providers across at least three continents. Thousands more organisations could be exposed if they do not act fast.

A rapid-fire timeline

  • 15 to 17 May: A team at the Pwn2Own Berlin contest chained two previously unknown SharePoint bugs to achieve remote code execution without authentication. Microsoft acknowledged the report but released only partial mitigations.

  • 18 July: Dutch firm Eye Security detected live exploitation against European customers and published the first public alert. Microsoft assigned the flaws CVE-2025-53770 and CVE-2025-53771.

  • 19 and 20 July: Independent researchers confirmed at least 85 fully compromised servers and warned that stolen cryptographic keys let attackers persist even after normal patching.

  • 21 July: News agencies reported that the breaches appeared to follow a single playbook, hitting more than 8,000 public-facing servers worldwide.

  • 22 July: Microsoft issued emergency cumulative updates for SharePoint Subscription Edition and SharePoint 2019, promising a SharePoint 2016 fix in the coming days.

How the exploit works

The attack links two vulnerabilities into a chain dubbed ToolShell. First, an unauthenticated call triggers a logic flaw that leaks a server-side signing key. With that key in hand, a second bug lets the intruder impersonate any legitimate user or service, upload malicious web parts and execute arbitrary code. Because the stolen key remains valid, rebooting or even patching an already breached server does not eject the attacker.

Once inside SharePoint, adversaries gain a perfect beach-head. Many organisations tightly integrate SharePoint with Exchange Online, Teams and OneDrive. Attackers can therefore harvest credentials, siphon sensitive documents and pivot laterally through single sign-on tokens into those connected services.

Who is in the firing line

Only on-premises editions are vulnerable. Microsoft 365’s cloud-hosted SharePoint Online runs a different code base and is not affected. Analysts estimate that tens of thousands of companies and public bodies continue to self-host SharePoint for workflow customisation or data-sovereignty reasons. Confirmed targets so far include United States state agencies, an Asian telecom carrier, higher-education networks and multiple energy producers.

Government alarm bells

The United States Cybersecurity and Infrastructure Security Agency has added both CVEs to its Known Exploited Vulnerabilities catalogue and ordered federal civilian agencies to disconnect or patch susceptible servers immediately. Investigators from the FBI and international partners are also examining intrusions.

A likely state-sponsored origin

Early telemetry shows compromised American servers communicating with Chinese IP addresses, leading several incident-response firms to suspect a Beijing-linked espionage group. Microsoft and government spokespeople have not formally attributed the campaign, but researchers note parallels with the 2021 Exchange Server “Hafnium” attacks.

Microsoft’s patch and lingering risks

The emergency update closes both vulnerabilities in SharePoint Subscription Edition and SharePoint 2019. A fix for SharePoint 2016 is promised soon. However, Microsoft concedes that servers compromised before patching may remain at risk because attackers can keep using already stolen signing keys. The company urges administrators to perform key rotation, review Unified Access Logging and enable tamper-proof auditing.

What organisations should do now

  1. Identify exposure. Inventory every on-premises SharePoint instance, including test and staging boxes that may sit outside routine patch cycles.

  2. Apply updates. Install Microsoft’s July 2025 security update or the interim mitigation script. Where no patch is yet available, restrict external access and enforce network segmentation.

  3. Rotate secrets. Replace OAuth certificates, refresh session tokens and reset any service accounts that authenticate through the compromised server.

  4. Hunt for persistence. Scan for unauthorised web parts, abnormal scheduled tasks and outbound traffic to unfamiliar IP ranges.

  5. Plan for the future. Consider migrating collaboration workloads to the cloud or deploying continuous monitoring and application-layer firewalls to shrink the attack surface.

Security specialists warn that simply closing the initial door is not enough. “Assume breach and validate each pathway back to production,” Eye Security’s incident-response lead advised in a briefing.

A wake-up call for legacy collaboration stacks

This is the third major exploitation of legacy Microsoft collaboration software in four years, following the Exchange ProxyLogon and ProxyNotShell debacles. Each episode has highlighted how patch lag and on-premises customisation create attractive inroads for both espionage and criminal crews. Analysts predict the latest incident will accelerate board-level discussions about cloud migration but caution that full software-as-a-service adoption will not eliminate risk if identity platforms are still anchored on-prem.

Outlook

With patches now rolling out, containment is possible, but eradication will be costly. Forensics teams must rebuild trust in authentication material, and regulators are expected to demand disclosure from critical infrastructure operators. The episode also intensifies political pressure on Microsoft, already under scrutiny after earlier supply-chain failures. The company says it is reviewing its internal security development lifecycle, yet commentators argue that customers must assume a more aggressive defence posture rather than rely solely on vendor patches.

Digital collaboration is here to stay, and so are the motivated actors probing its weakest points. The SharePoint zero-day chain is a stark reminder that convenience can hide deep-seated complexity. Until organisations bake continuous threat modelling and rigorous patch discipline into their operational DNA, similar crises will likely recur.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *