• Cyber Security
  • Privacy

SharePoint Zero-Day Hits 85 Servers in Global Exploit Wave

5 minute read

By Tech Icons
1:21 pm
Save
Haifa,Israel - July 22,2022: Microsoft logo on facade of office building on campus of Haifa Israel matam, located at southern entrance to Haifa, is largest and oldest dedicated hi-tech park in Israel
Image credits: KiyechkaSo / Shutterstock.com / Microsoft

SharePoint zero-day vulnerability compromises 85 servers worldwide as Microsoft races to protect critical infrastructure

Key Takeaways

  • Critical SharePoint zero-day exploited globally: Microsoft warns of active attacks targeting CVE-2025-53770, a vulnerability with a 9.8 CVSS score affecting on-premises SharePoint servers worldwide
  • Over 85 servers compromised across 29 organizations: Security researchers identify widespread targeting of government entities and multinational firms through the “ToolShell” exploit chain
  • CISA adds vulnerability to Known Exploited Vulnerabilities catalog: Federal agencies face immediate remediation requirements as attackers bypass authentication and maintain persistent access using stolen cryptographic keys

Introduction

Microsoft issues an urgent warning about active exploitation of a critical SharePoint zero-day vulnerability that threatens government agencies and enterprises worldwide. The company confirms that threat actors are actively exploiting CVE-2025-53770, a deserialization flaw with a maximum 9.8 CVSS severity score affecting on-premises SharePoint servers.

The vulnerability allows attackers to execute unauthorized code remotely without authentication. Security researchers have already identified over 85 compromised SharePoint servers across 29 organizations, including government entities and multinational corporations.

Key Developments

Viettel Cyber Security discovered the vulnerability through Trend Micro’s Zero Day Initiative platform. The flaw involves deserialization of untrusted data, enabling attackers to bypass authentication mechanisms and gain remote code execution capabilities on vulnerable SharePoint deployments.

Microsoft published emergency guidance over the weekend, acknowledging that “an exploit for CVE-2025-53770 exists in the wild.” The company advises organizations to enable AMSI integration and deploy Microsoft Defender on SharePoint Server farms immediately. For systems unable to implement AMSI, Microsoft recommends disconnecting SharePoint servers from the internet entirely.

The vulnerability represents a variant of CVE-2025-49706, previously addressed in July 2025 Patch Tuesday updates. However, CVE-2025-53770 poses additional risks as attackers can forge trusted payloads using stolen machine keys, maintaining persistent access even after initial patches are applied.

Market Impact

The U.S. Cybersecurity and Infrastructure Security Agency adds CVE-2025-53770 to its Known Exploited Vulnerabilities catalog with immediate remediation requirements for federal agencies. This designation signals the severity of the threat and mandates swift action across government infrastructure.

Security firms report that compromised organizations span multiple sectors, with particular concentration in government, healthcare, education, and large enterprises. Eye Security’s global scanning reveals that threat actors began large-scale exploitation around July 18, 2025, targeting over 8,000 SharePoint servers worldwide.

Microsoft releases patches for both CVE-2025-53770 and a newly discovered related vulnerability, CVE-2025-53771, early Monday morning. SharePoint Online in Microsoft 365 remains unaffected by these vulnerabilities.

Strategic Insights

The incident accelerates the strategic shift from on-premises infrastructure to cloud-based solutions. Cloud services demonstrate superior resilience against zero-day threats through centralized patching and managed security capabilities, reinforcing the business case for digital transformation initiatives.

Organizations face average breach costs of $4.45 million according to IBM’s 2024 Cost of a Data Breach report, with critical infrastructure attacks typically exceeding this baseline. The financial implications extend beyond immediate remediation costs to include regulatory compliance, business disruption, and reputational damage.

The “ToolShell” exploit chain combines multiple SharePoint vulnerabilities to achieve unauthenticated remote code execution. This sophisticated attack methodology demonstrates the evolving capabilities of threat actors and the increasing complexity of enterprise security challenges.

Expert Opinions and Data

Michael Sikorski, CTO of Palo Alto Networks’ Unit 42, emphasizes that “on-prem SharePoint deployments, particularly within government, schools, healthcare, and large enterprises, are at immediate risk.” His assessment highlights the concentrated exposure across critical infrastructure sectors.

Acting Executive Assistant Director for Cybersecurity Chris Butera confirms CISA’s rapid coordination with Microsoft, stating that “CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action.” This response demonstrates the importance of public-private cybersecurity partnerships.

Charles Carmakal, chief technology officer at Google Cloud’s Mandiant, stresses the necessity of comprehensive remediation beyond standard patching procedures. The Washington Post reports that organizations must rotate cryptographic keys and implement additional security controls to prevent persistent access through stolen credentials.

Benjamin Harris from watchTowr security research emphasizes the global scope of compromise, noting that affected entities require extensive remediation procedures including cryptographic settings recycling for complete threat elimination.

Conclusion

The active exploitation of CVE-2025-53770 represents a critical inflection point for enterprise IT strategy and cybersecurity investment priorities. Microsoft’s coordinated response with federal agencies demonstrates improved industry collaboration in addressing zero-day threats.

Organizations running on-premises SharePoint infrastructure face immediate security risks that extend beyond traditional patching approaches. The incident reinforces the strategic imperative for cloud migration, continuous monitoring, and comprehensive incident response capabilities in modern enterprise environments.

Related News

Copilot Adoption Pushes Microsoft AI Revenue Close to $10B

Read more

EU's DORA Law Sets New Cybersecurity Standards for Finance Sector

Read more

Cyberattack Forces Whole Foods Supplier to Shut Down Network Operations

Read more

Dior and Adidas Hit as Retail Cyberattacks Surge

Read more

Cybersecurity M&A Deals Surge to 42 in May 2025

Read more

6M Qantas Customer Records Exposed in Call‑Centre Cyberattack

Read more

Cybersecurity News

View All
Allianz Life logo on office building, symbolizing data breach involving 1.4 million customer records through third-party CRM attack in July 2025.

Allianz Life Data Breach Exposes 1.4 Million Customer Records

Read more
Haifa,Israel - July 22,2022: Microsoft logo on facade of office building on campus of Haifa Israel matam, located at southern entrance to Haifa, is largest and oldest dedicated hi-tech park in Israel

SharePoint Zero-Day Hits 85 Servers in Global Exploit Wave

Read more
Zuckerberg avoids testimony as Meta settles $8B shareholder lawsuit over Cambridge Analytica data privacy scandal.

Cambridge Analytica Reckoning Ends Quietly as Meta Settles

Read more