A global SharePoint breach is spreading fast. Is your business exposed?

Written By Janani Iyer

It started quietly, just a couple of suspicious access logs on a few government systems. But in less than a week, the story escalated into something much larger: a global cyberattack targeting Microsoft’s SharePoint platform, affecting U.S. state agencies, universities, and commercial organizations around the world. 

The vulnerabilities at the center of the attack—CVE-2025-53770 and CVE-2025-53771—are both what cybersecurity professionals fear most: zero-days that were being exploited before anyone even knew they existed. 

“Anybody who’s got a hosted SharePoint server has got a problem,” said Adam Meyers, head of intelligence at cybersecurity firm CrowdStrike. 

This isn’t just an IT problem 

What makes this breach so alarming is its strategic precision. The attackers—linked by Microsoft to Chinese-affiliated groups like Linen Typhoon and Storm-2603—exploited these flaws to steal cryptographic keys, gain persistent access, and in some cases, establish long-term backdoors. 

According to Microsoft’s own threat bulletin, these actors weren’t casting a wide net. They were targeting entities with “intelligence value”- which includes state agencies, educational institutions, and enterprises with valuable internal data. 

In a separate statement, Pete Renals of Palo Alto Networks added, “We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available. This is not a theoretical risk, it’s happening now.” 

Who's affected? 

So far, researchers from Shadowserver and Eye Security have confirmed compromises at nearly 100 organizations.  

Affected sectors include: 

  • U.S. federal and state government networks 

  • Higher education 

  • Energy infrastructure firms 

  • Law firms and consultancies 

  • Mid-size businesses with on-premises collaboration systems 

Importantly, SharePoint Online (Microsoft 365) is not affected. This is a breach of self-hosted, on-premises SharePoint environments—which are still widely used in regulated, hybrid, and legacy-heavy sectors. 

What makes this breach unusual? 

Unlike a typical zero-day exploit where patching solves the issue, this attack is stickier. That’s because attackers didn’t just exploit the vulnerability; they stole cryptographic keys that can be used to re-enter systems, even after security patches are applied. 

As security journalist Tom Warren noted in Windows Central, “We’re witnessing an urgent and active threat. Organizations need to treat this as a breach, not just a patching issue.” 

What should companies do now? 

This isn’t the time to wait for the next scheduled patch window. If your organization runs SharePoint Server (2019 or Subscription Edition), here’s what experts and Microsoft recommend: 

  • Patch Immediately – Microsoft has issued emergency fixes; install them without delay. 

  • Rotate MachineKeys and Certificates – Assume key compromise. Rotate cryptographic materials immediately after patching. 

  • Monitor Closely for Lateral Movement – Watch for strange behavior in connected tools like Teams, Outlook, and OneDrive. 

  • Initiate an Incident Response Review – Even if no breach is confirmed, assume exposure and audit access logs, user accounts, and firewall rules. 

The Bigger Picture 

This attack isn’t just a warning about SharePoint—it’s a case study of how deeply embedded software, once compromised, can serve as a silent conduit into core business systems.

Janani Iyer
Next

DOL proposes rollback of 60+ workplace protections