Microsoft SharePoint Zero-Day Vulnerabilities Exploited Globally
In July 2025, Microsoft SharePoint was subject to a global campaign of exploitation targeting two new zero-day vulnerabilities. These flaws permitted unauthenticated remote code execution and administrative privilege escalation, with over 400 organizations—including critical banking, healthcare, government, and educational institutions—confirmed as victims. Both state-sponsored groups and ransomware operators leveraged these vulnerabilities, making rapid patching and defensive action imperative for enterprises using on-premises SharePoint infrastructure.
Technical Nature of the Zero-Days
The core of the incident centers on two high-severity CVEs impacting Microsoft SharePoint Server. The most critical exploit received a CVSS severity score of 9.8, indicating its capacity to grant unauthenticated attackers the ability to execute arbitrary code remotely. The second vulnerability, with a severity of 7.1, enabled attackers to escalate privileges and gain broad administrative access. The exploits were first weaponized using proof-of-concept code made public after the vulnerabilities were demonstrated at the May 2025 Pwn2Own competition.
Attackers tailored their methods to bypass default SharePoint security controls, targeting both known and previously unreported weaknesses. Even after Microsoft’s initial patch in July, threat actors were observed circumventing mitigations, necessitating emergency guidance from both Microsoft and CISA, including recommendations to rotate machine keys and isolate vulnerable systems. Affected organizations were also urged to remove any end-of-life SharePoint instances from internet exposure immediately.
Major Attack Campaigns and Attribution
Microsoft attributed the most prominent attack waves to three China-linked threat actor groups: Linen Typhoon, Violet Typhoon, and Storm-2603. Storm-2603, in particular, deployed a strain of ransomware known as Warlock in several cases, compounding the threat for already compromised enterprises.
The breaches included penetration of high-profile targets such as the US National Nuclear Security Administration and various federal, state, and local government entities. Cybersecurity authorities described the campaign’s scope as both global and persistent, leveraging sophisticated tactics to maintain access after initial compromise.
Incident Impact and Defensive Measures
These SharePoint vulnerabilities created high system-wide risk. Since SharePoint acts as the backbone for file management in Microsoft 365 environments, attackers with server-level access could interact with sensitive documents, communications, and third-party integrations in Word, Teams, and other business-critical applications.
Responding to the campaign, Microsoft and CISA recommended immediate patching of all SharePoint servers, rotation of cryptographic keys, isolation or decommissioning of legacy systems, and a review of all accounts for suspicious activity. Organizations were also advised to monitor for signs of lateral movement and unauthorized persistence after applying fixes.
Broader Industry and Policy Response
The scale of exploitation resulted in urgent advisories across North America and Europe, highlighting the importance of rapid vulnerability management and real-time detection capabilities for organizations with on-premises infrastructure. Discussions among industry experts emphasized that organizations continuing to self-host SharePoint—particularly with outdated or unsupported versions—remain at elevated risk for both targeted and opportunistic attacks.
The incident sharpens focus on the necessity for ongoing vulnerability disclosure programs, regular penetration testing, and enhanced awareness training for administrators and users. It also underscores the wider trend of state-aligned cyber operations targeting widely deployed enterprise software as a vector for broader espionage and disruption campaigns.