Ongoing Exploitation of Microsoft SharePoint Zero-Day Vulnerabilities Threatens Global Enterprises
In July 2025, cybersecurity professionals globally have raised alarms over two newly patched, severe Microsoft SharePoint vulnerabilities actively exploited by multiple threat actors. More than 75 organizations—including banks, universities, healthcare providers, and government agencies—have suffered confirmed breaches related to these flaws. The attacks, starting in early July, are characterized by highly sophisticated techniques granting attackers unauthenticated remote code execution and administrative access to critical SharePoint environments across North America and Europe.
Technical Details of the Vulnerabilities
The two most notable SharePoint vulnerabilities, scoring CVSS ratings of 9.8 and 7.1, were identified as permitting full remote code execution (RCE) without authentication and enabling privilege escalation to gain administrative control of the SharePoint Server. Both vulnerabilities existed in core services responsible for routine file management and collaboration, which are foundational to Microsoft 365 environments and customer data workflows.
Nature of Attacks and Attribution
Attacks exploiting these vulnerabilities have escalated since July 7, 2025. Security research observed that the most aggressive exploitation attempts first targeted Western governmental bodies, with activity intensifying against telecom and software firms through the month. Notably, threat actor group Storm-2603, associated with Chinese interests, conducted targeted intrusions by leveraging the remote code execution flaw (tracked as CVE-2024-38060) for cyber-espionage purposes. These intrusions enabled the deployment of backdoors, remote command-and-control communications, and subsequent lateral movement within victim networks.
Detection and Persistent Access Techniques
Security telemetry revealed that attackers predominantly used customized payloads to bypass native SharePoint defenses, exploiting the lack of updated patches on many enterprise installations. In several documented compromises, attackers obtained persistent administrative access, facilitating the theft of sensitive cryptographic keys and the creation of rogue administrator accounts.
Real-World Impact and Defensive Challenges
The operational consequences of these exploits are significant: unauthorized actors could observe, manipulate, or exfiltrate enterprise documents, communications, and intellectual property. The scale of confirmed breaches underscores the high risk for sectors handling regulated data, such as financial services, healthcare, and government operations, which are especially reliant on SharePoint for internal collaboration and workflow management.
Mitigation Recommendations
Microsoft immediately released emergency security updates (Patch Tuesday, July 2025) addressing the vulnerabilities. Security agencies and experts have classified these as urgent—strongly recommending that all organizations apply the updates without delay. Supplementary mitigations include enhanced real-time threat detection, reviewing administrative activity logs for suspicious elevations or account creations, and isolating vulnerable SharePoint infrastructures until fully patched.
Strategic Security Takeaways
The July 2025 SharePoint attacks exemplify the persistent threat from state-affiliated and advanced cybercriminal actors targeting collaboration platforms. Key technical lessons include the necessity of rapid patch management for zero-days, the criticality of monitoring privileged access, and the enduring value of defense-in-depth practices—particularly in complex, distributed enterprise environments.