Zero-Day Vulnerability in Microsoft SharePoint Triggers Global Cyberattacks
A newly discovered zero-day vulnerability in Microsoft SharePoint has been actively exploited in a global cyber campaign targeting government agencies, energy companies, universities, and private businesses. The vulnerability, which had no patch at the time of initial exploitation, affected on-premise SharePoint servers, putting tens of thousands of systems at risk.
SharePoint Servers Breached Across U.S. Federal and State Agencies
Multiple sources confirmed that U.S. federal and state agencies, universities, and even local government bodies were among those breached. International victims include a telecom firm in Asia, a government agency in Spain, and a university in Brazil, according to security researchers.
“Anybody who’s got a hosted SharePoint server has got a problem. It’s a significant vulnerability,”
— Adam Meyers, SVP, CrowdStrike
The attack does not affect Microsoft 365 or other cloud-based SharePoint instances, according to Microsoft.
Microsoft released a patch for one version of SharePoint late Sunday but confirmed that two other versions remain vulnerable. The company said it is continuing to develop fixes but declined further comment.
Hacker Activity Detected Before Patch Availability
The cyberattacks were first observed after Microsoft had issued a separate fix for a different SharePoint vulnerability. Threat actors discovered a similar path of exploitation, which allowed them to breach unpatched servers globally.
“We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available,”
— Pete Renals, Senior Manager, Palo Alto Networks Unit 42
According to Netherlands-based Eye Security, the hackers not only accessed sensitive data but also harvested cryptographic keys that could allow them to re-enter even after patches are applied.
One U.S. researcher added:
“Pushing out a patch on Monday or Tuesday doesn’t help anybody who’s been compromised in the past 72 hours.”
Impact and Scope of Breaches Expands Across Sectors
The Department of Homeland Security’s CISA confirmed it was alerted to the issue on Friday by a cyber research firm and immediately contacted Microsoft. The FBI also acknowledged the breach and said it is working with other federal and private sector partners.
So far:
- Over 50 breaches have been tracked, according to Eye Security
- Two U.S. federal agencies were confirmed compromised
- A state legislature’s public document repository was hijacked and remains inaccessible
- Arizona’s state cyber teams convened to coordinate a statewide response
The Center for Internet Security stated that over 100 organizations, including schools and universities, were notified of potential compromise. According to the center, the response was slowed by recent 65% staffing cuts to its cyber response teams.
Wiper Behavior and Persistent Access Raise New Concerns
Some victims reported wiper-like behavior, where documents became inaccessible altogether. A state official described the breach:
“The attackers had hijacked a repository of documents provided to the public… The agency involved can no longer access the material.”
Others have not observed file deletion but instead saw cryptographic key theft, allowing persistent access.
Longstanding Scrutiny on Microsoft Security Practices
This latest incident adds to Microsoft’s growing list of high-profile cybersecurity failures. Just last year, the company was blamed for a Chinese espionage operation that breached U.S. government emails, including those of senior officials.
In a related development, Microsoft recently stated it would stop using China-based engineers to support Defense Department cloud programs, following investigative reporting and rising security concerns.
CISA spokesperson Marci McCarthy said the agency is in active response mode:
“No one has been asleep at the wheel.”
Still, concerns remain. Microsoft’s history of narrowly scoped patches may have again left similar vulnerabilities open to exploitation.
