Hackers are actively exploiting a critical zero-day vulnerability in Microsoft SharePoint servers to target government agencies worldwide, prompting emergency warnings from cybersecurity officials. The sophisticated attack campaign, designated CVE-2025-53770 with a maximum severity score of 9.8, has already compromised at least 75 organizations including federal agencies, universities, and energy companies.

Key Takeaways

• A critical zero-day vulnerability (CVE-2025-53770) in SharePoint servers is being actively exploited by hackers targeting government agencies
• At least 75 organizations have been breached, including dozens of U.S. federal and state government agencies
• The vulnerability allows unauthenticated remote code execution on on-premises SharePoint servers through data deserialization
• Approximately 8,000 SharePoint servers globally are potentially vulnerable to this attack
• Emergency patches have been released by Microsoft, with CISA ordering immediate disconnection of internet-facing servers

Understanding the Critical SharePoint Vulnerability

The vulnerability at the center of this attack campaign represents one of the most serious security flaws discovered in SharePoint to date. CVE-2025-53770 carries a CVSS score of 9.8, indicating maximum severity, while a companion vulnerability CVE-2025-53771 has been assigned a medium severity rating of 6.3. These flaws affect all versions of on-premises SharePoint servers, including SharePoint Server 2016, 2019, and the Subscription Edition.

What makes this vulnerability particularly dangerous is its deserialization mechanism that allows attackers to execute arbitrary code without any authentication requirements. Hackers can exploit this flaw to gain complete control over SharePoint environments, accessing sensitive documents, system configurations, and user credentials. The attack method builds upon previous vulnerabilities CVE-2025-49704 and CVE-2025-49706 but incorporates enhanced evasion techniques that make detection significantly more challenging.

Massive Scale of Vulnerable Systems

Eye Security’s research reveals that approximately 8,000 SharePoint servers worldwide are potentially vulnerable to this exploitation campaign. The scope affects organizations across multiple sectors, with governmentagencies bearing the brunt of targeted attacks. Universities, energy companies, and various federal and state institutions have been specifically targeted by threat actors leveraging this zeroday vulnerability.

The attack campaign demonstrates sophisticated planning and execution, designed for long-term persistence rather than quick data extraction. Malicious activities blend seamlessly with legitimate SharePoint operations, making detection extremely difficult for security teams. This stealth approach allows attackers to maintain access for extended periods while gathering intelligence and expanding their foothold within compromised networks.

The ToolShell Attack Chain

Security researchers have identified the attack methodology as “ToolShell,” a sophisticated exploitation chain that leverages the deserialization vulnerability for comprehensive system penetration. The attack begins with unauthenticated access to SharePoint servers, where hackers can immediately execute arbitrary code and establish persistent backdoors.

Once initial access is achieved, the attack chain enables several critical capabilities:

• Complete access to all SharePoint content and system files
• Theft of authentication tokens and cryptographic keys
• Lateral movement across connected Microsoft services like OneDrive and Teams
• Persistent access that survives patching efforts

The integration between SharePoint and other Microsoft services amplifies the impact significantly. Organizations using SharePoint alongside Outlook, OneDrive, and Teams face exponentially higher risks as attackers can pivot between these platforms using stolen credentials and authentication tokens.

Severe Security Consequences

The consequences of successful exploitation extend far beyond initial system compromise. Attackers gain the ability to harvest passwords, steal sensitive documents, and establish persistent backdoor access that remains functional even after security patches are applied. This persistence is achieved through the theft of cryptographic keys and certificates, enabling attackers to forge legitimate authentication payloads.

Data theft capabilities include access to confidential government documents, citizen information, and classified materials stored within SharePoint repositories. The vulnerability also enables lateral movement across Windows domains, potentially compromising entire network infrastructures. Security teams face the additional challenge of detecting these intrusions, as malicious activities are deliberately designed to mimic normal SharePoint operations.

Emergency Response and Mitigation Efforts

CISA and Microsoft have issued urgent security advisories calling for immediate action from all organizations running on-premises SharePoint servers. The recommended response includes disconnecting internet-facing SharePoint servers immediately and assuming compromise for any systems that have been accessible from the internet recently.

Microsoft has released emergency patches addressing both CVE-2025-53770 and CVE-2025-53771 for most affected versions:

• SharePoint Server 2019 – patch available
• SharePoint Server Subscription Edition – patch available
• SharePoint Server 2016 – patch still in development

Organizations using SharePoint Online through Microsoft 365 are not affected by these vulnerabilities, as confirmed by Microsoft’s security team. However, hybrid environments that combine on-premises and cloud SharePoint deployments require careful assessment to ensure complete protection.

Broader Implications for Critical Infrastructure

This attack campaign reflects a growing trend of nation-state and criminal actors targeting widely deployed infrastructure components within government and enterprise environments. The designation of CVE-2025-53770 as a Known Exploited Vulnerability by CISA mandates immediate action from federal agencies and serves as a warning to private sector organizations.

The incident highlights the persistent challenge of securing legacy systems and the critical importance of rapid patch deployment. Zero-day vulnerabilities continue to serve as primary attack vectors for sophisticated threat actors seeking stealthy, long-term access to sensitive government and corporate networks. The rapidly evolving nature of this incident suggests that the full scope of compromise may not yet be understood, with security agencies continuing to assess the potential for widespread impact across critical infrastructure sectors.

Sources

TechCrunch – Hackers exploiting SharePoint zero-day seen targeting government agencies

The Hacker News – Critical Microsoft SharePoint Flaw

KOMO News – Hackers exploiting significant vulnerability on Microsoft SharePoint servers

HIPAA Journal – Microsoft Emergency Patches SharePoint Server Vulnerabilities

Nextgov – Threat Intel Firms Alert Government Systems Impacted

University of Michigan – SharePoint Zero Day Immediate Action Required

CBS News – Microsoft SharePoint Attack Vulnerability Fix Released

Rapid7 – Zero-Day Exploitation of Microsoft SharePoint Servers