Warnings issued as hackers actively exploit critical zero-day in Microsoft SharePoint

Microsoft issued an urgent alert over the weekend after threat actors were discovered exploiting a zero-day vulnerability in on-premise SharePoint servers on a global basis. 

Researchers believe the issue is likely to lead to a large number of victims including governments and enterprises, and warn that attackers are compromising cryptographic keys allowing them to maintain access to victims’ systems even after the affected servers are patched.

In emergency guidance published Saturday night, Microsoft said it was working on a patch for the remote code execution vulnerability, which is being formally tracked as CVE-2025-53770. Affected customers were urged to immediately reconfigure their systems or disconnect SharePoint until a patch is available.

A security update for SharePoint (other than the 2016 edition) was eventually released in the early hours of Monday morning, covering both CVE-2025-53770 and a less critical vulnerability registered as CVE-2025-53771.

The guidance is “uniquely urgent and drastic” according to Charles Carmakal, the chief technology officer at Google Cloud’s Mandiant consulting department.

“This isn’t an ‘apply the patch and you’re done’ situation,” Carmakal wrote on LinkedIn. “Organizations need to implement mitigations right away (and the patch when available), assume compromise, investigate whether the system was compromised prior to the patch/mitigation, and take remediation actions.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its Known Exploited Vulnerabilities catalog on Sunday with a “due date” of Monday, meaning all federal agencies are legally required to immediately fix the issue. The agency issued a similarly immediate call for federal agencies to patch the Citrix Bleed 2 bug earlier this month, at the time a record for how quickly a bug needed to be patched.

Governments compromised

Eye Security, a European cybersecurity company, said it was the first to identify the widespread exploitation of the vulnerability in the world in a blog post on Friday evening. The company scanned the internet and discovered dozens of systems that had been compromised in two waves of attacks on Friday evening and Saturday morning.

According to its blog, the company has attempted to directly inform the affected organizations and the relevant national CERTs with detailed evidence about the compromises.

Benjamin Harris, the chief executive at cybersecurity company watchTowr, which has been working with Eye Security to notify victims, warned: “All signs point to widespread, mass exploitation — with compromised government, technology, and enterprise systems observed globally.”

Michael Sikorski, the chief technology officer and head of threat intelligence for Palo Alto Networks’ Unit 42, said: “While cloud environments remain unaffected, on-prem SharePoint deployments — particularly within government, schools, healthcare including hospitals, and large enterprise companies — are at immediate risk.”

The hackers behind the compromises “are bypassing identity controls, including MFA and SSO, to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys,” said Sikorski.

“The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold. If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point. Patching alone is insufficient to fully evict the threat,” added the CTO.

The compromise of SharePoint’s internal cryptographic keys is particularly worrying, researchers say, and means that entities that have been compromised will need to take extra steps to recycle some of the most fundamental settings used to keep themselves secure.

It “makes remediation particularly difficult,” explained Harris. “A  typical patch would not automatically rotate these stolen cryptographic secrets leaving organizations vulnerable even after they patch. In this case, Microsoft will likely need to recommend additional steps to remediate the vulnerability and any compromise post-response.”