Hackers Exploit Microsoft SharePoint Flaws in Global Breaches
New information has emerged regarding ongoing cyberattacks against Microsoft’s on-premises SharePoint servers, revealing a wider impact than initially understood. Yesterday, Hackread.com reported on Microsoft’s urgent warnings and new security updates for critical vulnerabilities (CVE-2025-53770 and CVE-2025-53771) that allow attackers to execute malicious code.
Now, cybersecurity researchers have confirmed a significant escalation: approximately 100 organisations worldwide have been successfully breached so far. This widespread exploitation has impacted governments, businesses, and other entities globally.
Victims include national governments in Europe and the Middle East, along with US government systems such as the Department of Education, Florida’s Department of Revenue, and the Rhode Island General Assembly.
A US-based healthcare provider and a public university in Southeast Asia have also been targeted, with attempted breaches observed in countries like Brazil, Canada, Indonesia, Spain, South Africa, Switzerland, and the UK.
Attackers are, reportedly, exploiting zero-day flaws, meaning these weaknesses were previously unknown, allowing spies to gain deep access and potentially install persistent backdoors. Cybersecurity firms like CrowdStrike, Mandiant Consulting, Shadowserver Foundation, and Eye Security are tracking multiple hacker groups involved in these attacks.
Netherlands-based Eye Security first identified active exploitation on Friday, noting that even after initial patches from Microsoft in early July, hackers found “ways around the patches” to continue their intrusions. CrowdStrike also observed active exploitation beginning July 18, 2025, blocking hundreds of attempts across over 160 customer environments.
A common sign of infection is the presence of a suspicious file named “spinstall0.aspx,” which attackers use to steal IIS Machine Keys after being written via PowerShell commands, CrowdStrike found.
Urgent Call for Action
The stolen information is highly sensitive, including sign-in credentials like usernames, passwords, and hash codes. SharePoint’s deep integration with other Microsoft services like Office, Teams, OneDrive, and Outlook means a compromise isn’t contained and “opens the door to the entire network,” according to Michael Sikorski of Palo Alto Networks.
While Microsoft released patches over the weekend for SharePoint 2019 and Subscription Edition, updates for SharePoint 2016 are still under development. Organisations are strongly advised to not only apply available patches but also to rotate machine keys and restart their IIS services to fully mitigate the threat.
Adding to these critical steps, the CISA (Cybersecurity and Infrastructure Security Agency) on July 20, 2025, issued its own guidance. They recommend configuring Antimalware Scan Interface (AMSI) in SharePoint, deploying Microsoft Defender AV on all SharePoint servers, and, if AMSI cannot be enabled, disconnecting affected public-facing products until official mitigations are fully applied.
The vast number of potentially vulnerable SharePoint servers, estimated at over 8,000 globally by search engines like Shodan, highlights the urgent need for comprehensive security measures. The breaches have also brought renewed scrutiny to Microsoft’s cybersecurity practices, with a 2024 US government report recommending urgent reforms to its security culture.
“Cryptographic asset theft is the new ‘phishing’, in that, bad actors have learnt that, like stealing passwords, getting an important cryptographic asset like API Keys or a Machine Identity, is much easier than brute force methods,“ said Robert Hann, Global VP Technical Solutions at Entrust.
“To protect sensitive data with encryption and HSMs, it’s essential to first understand which cryptographic assets, like private keys, digital certificates, and encryption algorithms, are securing which systems and information. Leveraging an HSM is especially important for data that is sensitive or carries compliance requirements,” Robert advised.
“In addition to HSM protection, it’s crucial for companies to implement other security best practices for SharePoint, such as keeping the software up to date with the latest patches and security updates, using strong passwords, rolling over keys regularly and following secure configuration guidelines,” he emphasised.
According to Andrew Obadiaru, CISO, Cobalt, an offensive security company, “Zero-day vulnerabilities in widely deployed platforms like SharePoint are a goldmine for attackers because they provide immediate, scalable access to high-value environments. The challenge isn’t just patching; it’s that attackers typically implant persistence mechanisms within hours, ensuring long-term footholds.“
“Defence strategies need to assume breach and validate controls through proactive testing, including red teaming and continuous pentesting, to uncover weaknesses before adversaries do. In today’s threat landscape, reactive security alone is a losing game,” Andrew advised.
