The U.S. federal government and cybersecurity experts have issued urgent warnings after a newly discovered security flaw in Microsoft’s SharePoint software began to be actively exploited by hackers.
The Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations this weekend that attackers are exploiting CVE-2025-53770, a zero-day vulnerability affecting self-hosted versions of SharePoint. Microsoft has not yet released patches for all impacted versions, including editions as old as SharePoint Server 2016, leaving countless organizations exposed.
Breaches Affect Government, Education, and Energy Sectors
Although the full scope of the breach remains unclear, multiple U.S. federal agencies, universities, and energy firms have reportedly been compromised. Thousands of small to medium-sized businesses relying on the software are likely at risk.
Security researchers at Eye Security, who first uncovered the flaw, found that attackers can steal private digital keys from SharePoint servers without any login credentials. This enables hackers to remotely deploy malware and access sensitive data. Because SharePoint integrates with apps like Outlook, Teams, and OneDrive, the breach could extend across connected systems, amplifying the damage.
Mitigation Requires Patching and Key Rotation
Due to the nature of the stolen keys, simply patching the vulnerability is not enough. Organizations must also rotate digital keys to prevent hackers from regaining access.
Authorities recommend immediate measures, including disconnecting vulnerable servers from the internet until patches are available. Michael Sikorski, head of Palo Alto Networks’ Unit 42, stated, “If you have SharePoint [on-premise] exposed to the internet, you should assume that you have been compromised at this point.”
This attack is the latest in a series targeting Microsoft products. Past incidents include the 2021 Hafnium campaign, which compromised over 60,000 Microsoft Exchange servers globally, and the 2023 breach where hackers stole email signing keys from Microsoft’s cloud infrastructure. Russian-affiliated groups have also repeatedly targeted Microsoft systems.
What The Author Thinks
This SharePoint exploit illustrates the escalating dangers enterprises face when managing critical self-hosted infrastructure. Swift patching, key rotation, and comprehensive response strategies are essential. The evolving threat landscape demands closer cooperation between software vendors and users to protect vital digital assets.
Featured image credit: Егор Ахматьяров via Pexels
For more stories like it, click the +Follow button at the top of this page to follow us.