A newly discovered zero-day vulnerability in Microsoft’s SharePoint server software has triggered a wave of cyberattacks, breaching systems at multiple federal agencies, private companies, and universities.

Tracked as CVE-2025-53770, the flaw affects only on-premise deployments of SharePoint, not Microsoft’s cloud-based 365 platform. It allows attackers to access to internal file systems and execute unauthorized code, posing a serious risk to any unpatched environment.

Google’s Mandiant unit has attributed part of the campaign to a China-linked threat group, though multiple actors appear to be exploiting the vulnerability.

Meanwhile, CISA confirmed the vulnerability is being actively exploited in several high-profile intrusions.

While Microsoft has issued emergency patches for SharePoint Server Subscription Edition and 2019, however older versions remain unpatched and exposed.

The vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog. The agency is urging organizations to disconnect vulnerable servers, apply available security updates, and follow detection guidance.

Why It Matters: This incident highlights the ongoing security risks faced by organizations that rely on self-hosted infrastructure. It also places Microsoft under renewed scrutiny following recent breaches involving its enterprise software. With confirmed compromises in federal systems and the potential for wide-scale disruption, the vulnerability reflects the growing urgency around securing core digital services.

• CVE-2025-53770 Enables Full Remote Exploitation: The newly cataloged CVE-2025-53770, a variant of CVE-2025-49706, enables unauthenticated attackers to execute code remotely, access internal SharePoint files, and modify configurations. Publicly reported as “ToolShell,” the exploit provides full control over vulnerable systems and is already being actively used in the wild.

• CISA Confirms Exploitation and Issues Mitigation Guidance: In its advisory, CISA recommended enabling AMSI scanning, disconnecting vulnerable systems, updating firewall rules, and monitoring specific IPs and endpoints. But the agency now operates with fewer personnel and reduced external engagement after its FY2026 budget was cut by at least $135 million, limiting its support for private-sector coordination.

• China-Linked Group Among Active Threat Actors: Google’s Mandiant Consulting revealed that a Chinese hacking team is “at least one” of the actors involved in early-stage exploitation. Multiple threat groups are believed to be exploiting the vulnerability, suggesting coordinated or opportunistic use of the same zero-day flaw across sectors.

• ToolShell and Cryptographic Key Theft Highlight Depth of Breach: In addition to full access to SharePoint systems, attackers are stealing cryptographic machine keys, allowing them to maintain persistent, covert access. Researchers from Palo Alto Networks and Eye Security have emphasized that these methods could compromise integrations like Teams, OneDrive, and internal authentication protocols.

• Legacy Systems and Microsoft’s Security Posture Under Fire Agains: Microsoft has patched newer SharePoint versions but has yet to fix 2016 deployments, leaving many organizations exposed. This breach follows a 2023 Chinese cyber campaign that exploited Microsoft Exchange and raises fresh concerns about Microsoft’s Secure Future Initiative and its broader enterprise security standards.

Go Deeper -> Hackers Exploit Microsoft Software Vulnerability To Reportedly Target Governments And Businesses—What To Know – Forbes

Microsoft alerts businesses, governments to server software attack – Reuters

What to know about a vulnerability being exploited on Microsoft SharePoint servers – AP News

China-linked hackers behind Microsoft hacking spree, Google says – Axios