The U.S. federal government and cybersecurity experts have issued an urgent warning regarding a severe zero-day vulnerability in Microsoft SharePoint, which is currently being exploited by threat actors globally. The flaw, tracked as CVE-2025-53770, impacts self-hosted versions of the software, leaving organizations exposed without an immediate patch.
Active Exploitation and Security Risks
The Cybersecurity and Infrastructure Security Agency (CISA) sounded the alarm this weekend as reports confirmed that hackers are actively targeting vulnerable servers. The vulnerability affects legacy and current versions, reaching as far back as SharePoint Server 2016.
According to Eye Security, which first identified the bug, the exploit allows attackers to bypass authentication and steal private digital keys. Once these keys are compromised, unauthorized users can remotely deploy malware and access sensitive files. Because SharePoint integrates deeply with Outlook, Teams, and OneDrive, a breach in the server can facilitate broader network infiltration and large-scale data theft.
Urgent Mitigation Measures
Because the exploit involves the theft of digital keys used to impersonate legitimate requests, simply applying a future patch will not be enough. Security researchers emphasize that administrators must also rotate their digital keys to prevent persistent access by attackers.
In the absence of a comprehensive patch from Microsoft, CISA and industry experts are advising organizations to take drastic measures. Michael Sikorski, head of Unit 42 at Palo Alto Networks, warned that any on-premise SharePoint server exposed to the internet should be treated as compromised. Organizations are strongly encouraged to disconnect affected systems from the web immediately.
A Pattern of Targeting Microsoft Infrastructure
While the identity of the attackers remains unknown, this incident follows a troubling history of high-profile cyberattacks targeting Microsoft ecosystems. Previous major incidents include the 2021 Hafnium attack on Exchange servers—which impacted over 60,000 entities—and a 2023 breach of cloud systems that allowed state-sponsored actors to steal sensitive email signing keys.
As reported by The Washington Post, the current wave of attacks has already impacted U.S. federal agencies, energy companies, and various academic institutions. With thousands of small to medium-sized businesses potentially affected, the full scale of the intrusion is still being assessed.