A serious global hacker attack is actively exploiting undiscovered zero-day vulnerabilities in Microsoft SharePoint servers. The attacks only affect on-premise installations – i.e. locally operated systems – and target companies, government agencies and research institutions. Microsoft has released emergency patches, but the threat is still real. This article looks at what has happened, how hackers are proceeding and what measures should now be taken urgently.
Key points at a glance:
- Attacks probably started around July 18, 2025 and affect at least 80-100 SharePoint instances worldwide
- Affected local server cloud instances (Microsoft 365/SharePoint Online) remain unharmed
- Attack method: Zero-day exploits (CVE-2025-53770 & CVE-2025-53771), technically combined from Pwn2Own research
- Goal is the infiltration of malicious code, extraction of cryptographic keys, creation of backdoors and lateral movement in networks
What exactly happened – and why now?
In July 2025, hackers discovered that two previously patched security vulnerabilities in SharePoint could be exploited again. The variants CVE-2025-53770 (critical, CVSS 9.8) and CVE-2025-53771 (medium severity) allow attackers to gain unauthorized access and execute malicious code – without authentication. SharePoint servers have been accessed in waves since July 18.
In total, at least 80 systems have been compromised. Institutions in the USA, Germany and other G7 countries are particularly affected. The target is sensitive data such as documents, cryptographic keys and configuration files. Telecommunications and energy companies as well as public authorities and universities are also involved.
Attackers, extent and motivation
The attacks are attributed to a highly organized hacker group, possibly with links to China. The cyber campaign follows a consistent pattern of payload and tactics – suggesting that a single actor is responsible. Government investigative agencies such as the FBI, CISA (USA) and the NCSC (UK) are now also involved.
While Microsoft distributed emergency patches (SharePoint Server 2019 & Subscription Edition), a full fix for Server 2016 remains pending. Experts warn that patches alone will not delete already installed backdoors and call for emergency measures such as server isolation, key rotation and professional incident response.
Conclusion
The global intrusions into on-premise SharePoint servers show once again how dangerous zero-day exploits are – especially in critical collaboration systems. The known number of 80 to almost 100 compromised instances is alarming, especially as millions of other servers are still vulnerable. Although Microsoft is delivering the first patches, updates alone are not enough: only a combination of patching, system isolation, key rotation and comprehensive forensics promises effective protection.
