Microsoft Servers Hacked: Hackers Breach Thousands of Microsoft SharePoint Systems in Coordinated Global Attack on Governments and Businesses
Nickie Louise
Posted On July 21, 2025
Microsoft has alerted organizations about active attacks exploiting a vulnerability in SharePoint servers, impacting over 10,000 on-premise installations, including those at businesses and government agencies. The zero-day exploit has triggered widespread concern, prompting security alerts and investigations across multiple countries.
Microsoft acknowledged the breach in a security advisory released over the weekend and urged affected organizations to implement protective measures immediately. The vulnerability does not affect SharePoint Online in Microsoft 365, which operates in the cloud, but on-premise servers remain at risk.
The attack appears to be the work of a single threat actor—at least for now. Rafe Pilling, Director of Threat Intelligence at British cybersecurity firm Sophos, said the evidence points to a coordinated campaign.
“Based on the consistency of the tradecraft seen across observed attacks, the campaign launched on Friday appears to be a single actor. However, it’s possible that this will quickly change,” Pilling said.
That tradecraft included the repeated use of the same digital payload against multiple targets, suggesting a deliberate and calculated strike.
The scale of the exposure is significant. According to data from Shodan, a search engine that scans and indexes internet-connected devices, over 8,000 vulnerable SharePoint servers have been identified online. These servers belong to a range of organizations, including banks, auditing firms, healthcare providers, and various government agencies at both state and international levels.
Microsoft Vulnerability Affects Everyone on The SharePoint Server
Microsoft has already released a patch for affected versions of SharePoint. Those running SharePoint 2019 or SharePoint Subscription Edition can now download and apply the security patch to protect against the CVE-2025-53770 vulnerability. For organizations using SharePoint 2016, however, a fix is still under development. Until then, systems remain exposed to potential attacks if not otherwise secured.
Microsoft is encouraging all administrators to act quickly, applying the necessary updates and investigating their systems for signs of compromise. But some experts warn that patching alone may not be enough.
“The SharePoint incident appears to have created a broad level of compromise across a range of servers globally,” said Daniel Card of British cybersecurity consultancy PwnDefend. “Taking an assumed breach approach is wise, and it’s also important to understand that just applying the patch isn’t all that is required here.”
Critical SharePoint Exploits Exposed
In a post titled “Critical SharePoint Exploits Exposed: MDVM Response and Protection Strategy,” Microsoft confirmed it is actively tracking ongoing attacks targeting on-premises SharePoint Server customers. The company outlined the status of patches related to multiple vulnerabilities, including a zero-day flaw that has already been exploited in the wild.
Below is the list of affected products, according to Microsoft:
Affected Products & Versions
| Product | CVE‑2025‑49704 | CVE‑2025‑49706 | CVE‑2025‑53770 | CVE‑2025‑53771 |
| SharePoint Server Subscription Edition | ✅ Affected | ✅ Affected | ✅ Affected | ✅ Affected |
| SharePoint Server 2019 | ✅ Affected | ✅ Affected | ✅ Affected | ✅ Affected |
| SharePoint Server 2016 | ✅ Affected | ✅ Affected | ✅ Affected | ✅ Affected |
| SharePoint Online | ❌ Not affected | ❌ Not affected | ❌ Not affected | ❌ Not affected |
Microsoft also detailed the risks associated with the breach:
Impact
The exploit poses an immediate threat to SharePoint infrastructure, especially systems that are publicly accessible from the internet. The most severe of the vulnerabilities—CVE-2025-53770—allows unauthenticated attackers to fully compromise affected servers without needing credentials.
Older, unsupported versions such as SharePoint 2010 and 2013 remain exposed, with no patches forthcoming. Microsoft recommends isolating or decommissioning those systems immediately.
As of now, it’s still unclear who is behind the attack. The FBI confirmed that it’s aware of the situation and is working with federal and private-sector partners to investigate. Britain’s National Cyber Security Centre has not yet issued a response.
The Washington Post reported that the exploit has already been used to target agencies and businesses in both the U.S. and abroad.
The situation is ongoing, and with the exploit now public, copycat attacks are likely to follow. For now, Microsoft and cybersecurity teams worldwide are racing to contain the damage—while the full extent of the breach remains to be seen.
How This Breach Compares to Past Microsoft Security Incidents
This isn’t the first time Microsoft has had to deal with a widespread exploit targeting its enterprise software. In 2021, Microsoft Exchange servers were hit by a large-scale attack that compromised over 250,000 systems globally. That incident, later attributed to state-sponsored actors, exploited four previously unknown vulnerabilities and allowed attackers to access emails, install backdoors, and exfiltrate data from a wide range of organizations—including government agencies and critical infrastructure.
This SharePoint breach, while different in scope and nature, feels eerily familiar: a zero-day exploit, a large installed base of exposed on-premise servers, and a scramble to patch and assess damage after the fact. What makes this attack particularly dangerous is that SharePoint is often deeply embedded within internal networks—used for document sharing, collaboration, and access control. In many cases, compromised SharePoint servers could act as stepping stones into larger enterprise environments.
What Organizations Should Do Beyond Patching
Microsoft has released patches for SharePoint 2019 and Subscription Edition, but stopping here isn’t enough. Security experts recommend organizations take a layered response approach:
-
Assume Breach: Organizations should treat any unpatched or recently patched SharePoint server as potentially compromised. Run forensic checks, review logs, and look for indicators of compromise (IoCs) provided by Microsoft or threat intel vendors.
-
Limit External Exposure: If your SharePoint servers are directly exposed to the internet, now is the time to reconsider that setup. Use VPNs or proxy layers to limit public access.
-
Monitor for Lateral Movement: If attackers have gained access to one server, they may be probing the internal network for further vulnerabilities. Endpoint detection tools and lateral movement analysis can help contain spread.
-
Update Incident Response Plans: Many orgs still focus their IR playbooks on ransomware or phishing. This attack highlights the need for better readiness around zero-day infrastructure breaches.
-
Isolate Legacy Systems: SharePoint 2010 and 2013 remain unpatched and unsupported. Any lingering deployments should be immediately segmented or shut down.
Why This Matters
Incidents like this aren’t just tech stories—they’re national security events. With governments and healthcare systems relying on these platforms daily, even a brief compromise can lead to sensitive data exposure, service disruption, or follow-on attacks.
And with the rise of cloud migration, these attacks are putting renewed pressure on enterprises still running legacy on-premise software—often because of regulatory, integration, or budget constraints. For attackers, it’s low-hanging fruit. For defenders, it’s a nightmare that doesn’t go away with a single patch.
🚀 Want Your Story Featured?
Get in front of thousands of founders, investors, PE firms, tech executives, decision makers, and tech readers by submitting your story to TechStartups.com.
Get Featured
