Microsoft Suffers Major Data Breach Affecting SharePoint Servers
Computer pirates have actively exploited a critical safety vulnerability in Microsoft SharePoint Server, resulting in a great data breach that impacts more than 100 companies worldwide. Vulnerability, tracked as CVE-2025-53770 with a severe CVSS score of 9.8, allows the execution of remote code not authentication when exploiting how SharePoint deserializes the non-reliable data. As a result, the attackers have obtained unauthorized access to confidential data, deployed persistent rear doors and the keys of the robbed cryptographic machine, which allows them to maintain access even after patches are applied.
Details of the Breach and Global Impact
This large-scale attack, described as ongoing and active since early July 2025, primarily targets on-premises Microsoft SharePoint servers, including the 2016, 2019, and Subscription Editions. Importantly, Microsoft's cloud-based SharePoint Online on Microsoft 365 remains unaffected. The breach has compromised at least 75 corporate servers, including U.S. government agencies, universities, energy firms, and international telecommunications providers.
Attackers exploited the flaw to impersonate users, execute arbitrary commands before authentication, and forge trusted payloads using stolen machine keys. These exploits facilitate lateral movement within networks while blending in with legitimate SharePoint activity, making detection and remediation particularly challenging.
Microsoft's Response and Mitigation Efforts
Microsoft promptly acknowledged the vulnerability and the ongoing attacks, releasing security updates for SharePoint 2019 and Subscription Editions and preparing a patch for SharePoint 2016. Customers are strongly urged to apply these patches immediately. Additionally, Microsoft recommends rotating SharePoint Server ASP.NET Machine Keys and restarting Internet Information Services after updates to invalidate stolen keys and prevent persistent access by attackers.
The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts that urge organizations that execute local SharePoint servers to apply mitigations quickly and has collaborated with Microsoft to notify the affected entities. CISA also warned about the use of these vulnerabilities by ransomware groups and implementations of current ransomware in committed systems.
Cloud Security Risks Highlighted by SharePoint Breach
This incident underscores the security risks of on-premises server software versus cloud-hosted services, with attackers focusing on legacy and on-prem deployments. Experts emphasize the importance of vigilance, timely patching, and comprehensive endpoint visibility to detect stealthy exploits involving stolen cryptographic keys and web shell deployments.
Organizations relying on Microsoft SharePoint for collaboration and document management must review their security posture urgently, apply available updates, implement recommended mitigations from Microsoft and CISA, and monitor for any signs of compromise to prevent further damage.