Cybersecurity experts have confirmed that at least 400 organizations have been compromised following the exploitation of a critical zero-day vulnerability in Microsoft SharePoint. The surge in attacks, which began in early July, has targeted entities ranging from private corporations to high-level government agencies.
The Scope of the SharePoint Breach
Eye Security, the Dutch cybersecurity firm that first identified the vulnerability, reports a rapid escalation in successful intrusions. While only dozens of servers were flagged earlier this week, internet-wide scanning now confirms hundreds of active compromises across the globe.
Among the victims is the U.S. National Nuclear Security Administration (NNSA). A spokesperson for the Department of Energy confirmed that the agency was “minimally impacted,” stating that only a “very small number of systems” were accessed during the campaign.
Technical Breakdown: CVE-2025-53770
The vulnerability, tracked as CVE-2025-53770, specifically targets self-hosted versions of SharePoint. By exploiting this flaw, attackers can execute remote code, granting them unauthorized access to sensitive internal documents and potential lateral movement into broader corporate networks.
Because the flaw was leveraged as a zero-day—meaning it was exploited before Microsoft could issue a fix—organizations remained defenseless until security researchers alerted the public. Microsoft has since released emergency patches for all affected SharePoint versions to mitigate further risks.
Attribution and Ongoing Threats
Intelligence gathered by Google and Microsoft points toward China-backed hacking groups as the primary actors behind the campaign. Evidence suggests that malicious activity utilizing this specific exploit dates back to July 7. While the Chinese government has denied these allegations, industry experts warn that the window of opportunity for hackers is widening.
Security analysts advise organizations to audit their self-hosted SharePoint instances immediately and ensure that all available patches are applied to prevent further exploitation by opportunistic threat actors.