Big news here, hackers have found another way to wreak havoc, and this time they went after Microsoft SharePoint servers. A provided software flaw - what our industry refers to as a zero-day vulnerability - was discovered, and bad actors exploited the flaw to access at least 75 servers. For any business person or layperson, this is akin to finding an unlocked back door that no one knows about and simply walking in.
• Follow temporary security measures by isolating affected servers
• Ensure antivirus tools are present i.e. Microsoft Defender with AMSI enabled in particular
• Look for suspicious activity in System Logs
• Obtain and Rotate sensitive keys so these key do not get utilized further after the vulnerability was leveraged.
What Exactly Happened?
The exploiters exploited a bug (CVE-2025-53770) on on-premises Sharepoint. On-premises SharePoint is potentially more dangerous than cloud-based SharePoint Online because it is run by the business. In the process of getting in, the hacker was granted the ability to run their own exploitive code on the company servers with that kind of access. Control of systems is as bad as it sounds.Who Was Hit?
It was not just small businesses but large organizations and even U.S. government agencies were hit. Some research and energy labs were also caught in the free-flow of bad luck and data. The good news is that many of those impacted systems were erased relatively quickly.Who's Responsible For The Attack?
Microsoft has identified elite hacking groups with links to China, code-named Linen Typhoon, Violet Typhoon and Storm-2603, which are known for advanced attacks. These groups are not only performing attacks with a monetary objective, but they are also performing espionage and long term access attacks.What Did Microsoft Say About The Attack?
Microsoft said that we have a serious problem, however, they reassured users that the SharePoint Online (cloud) version was not impacted. Microsoft is already working on a security patch for the problem. In the meantime Microsoft told administrators to:• Follow temporary security measures by isolating affected servers
• Ensure antivirus tools are present i.e. Microsoft Defender with AMSI enabled in particular
• Look for suspicious activity in System Logs
• Obtain and Rotate sensitive keys so these key do not get utilized further after the vulnerability was leveraged.
What Do You Do If You Use Sharepoint?
If your company runs its own SharePoint server, you need to act fast:- Install patches as soon as Microsoft releases them.
- Disconnect vulnerable servers if they can’t be secured immediately.
- Scan for malware and make sure defenses are up to date.
- Review access logs to check if attackers already got in.