Exploitation of Critical Microsoft SharePoint Zero-Days Leads to Widespread Compromise and Ransomware Attacks
In July 2025, security experts reported an urgent and active threat targeting Microsoft SharePoint environments through two newly discovered zero-day vulnerabilities. The campaign has led to significant breaches across sectors, with exploits weaponized for both data theft and ransomware deployment. Organizations using on-premises SharePoint are being urged to patch immediately due to the risks of remote code execution and administrative compromise.
Technical Breakdown of SharePoint Vulnerabilities
The vulnerabilities, which scored 9.8 and 7.1 on the CVSS scale respectively, permit unauthenticated remote code execution and administrative access on Microsoft SharePoint Server deployments. Attackers leveraging these flaws can gain system-level control, bypassing built-in SharePoint security. Exploitation enables attackers to execute arbitrary code, potentially exfiltrating data or moving laterally within an organization’s environment.
Technical investigation identified that at least one vulnerability is being used to inject malicious scripts and unauthorized user accounts directly via exposed endpoints. The exploitation doesn’t require prior authentication, making any vulnerable unpatched instance an immediate target. Research revealed at least three distinct IP addresses associated with these attack waves, one of which has been previously linked to major exploits in other enterprise appliances.
Scope and Methods of the Attacks
Campaigns exploiting these SharePoint flaws began as early as July 7, 2025, with a sharp uptick in activity identified mid-month. Check Point Research and other industry watchers traced dozens of compromise attempts spanning government agencies, telecommunications firms, software providers, and financial institutions in both North America and Western Europe.
In some confirmed cases, attackers linked to the group “Storm-2603” utilized these SharePoint exploits as the initial access vector before deploying the “Warlock” ransomware family on compromised systems. Attackers delivered ransomware payloads and leveraged SharePoint’s integration with other enterprise applications, enabling further network reconnaissance and lateral movement.
Rapid exploitation involved custom exploit kits, allowing automation of the compromise process across Internet-exposed SharePoint instances. The attackers bypassed standard detection mechanisms by tailoring payloads to recognized security configurations.
Response, Mitigation, and Recommendations
Microsoft responded by releasing an out-of-band security update as part of Patch Tuesday, addressing both critical vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) and leading incident response organizations are advising immediate action, given ongoing evidence of active exploitation.
Organizations are strongly recommended to:
- Apply the latest Microsoft patches to all on-premises SharePoint servers without delay.
- Review network logs for signs of unusual activity, including unauthorized account creations and remote code execution events.
- Harden SharePoint perimeter exposure by restricting access and monitoring authentication attempts from known malicious IPs.
- Ensure incident response teams are prepared for post-compromise actions, including containment and ransomware recovery procedures.
The scope and sophistication of these attacks signify an escalation in the targeting of core business management platforms. Continuous monitoring, prompt patching, and advanced threat detection are essential to protect enterprise environments.