Microsoft SharePoint Zero-Day Vulnerabilities Exploited in Global Cyber Attacks
The cybersecurity community is confronting a worldwide surge in attacks exploiting zero-day vulnerabilities in Microsoft SharePoint. Since their discovery in early July 2025, multiple threat actors—including sophisticated nation-state groups—have used these vulnerabilities to compromise organizations’ collaborative platforms, prompting urgent calls for immediate system patching.
Technical Details of the Exploited Vulnerabilities
Microsoft SharePoint, a central platform for file sharing and collaboration across enterprise environments, was found to harbor several critical vulnerabilities identified by their respective CVEs: CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771. The most severe, scored at 9.8 on the CVSS scale, allows unauthenticated remote code execution (RCE), granting attackers control over SharePoint servers without credentials. Attackers can leverage these flaws to gain administrative control, install backdoors, steal sensitive files, and propagate malware or ransomware payloads.
The vulnerabilities impact on-premises SharePoint deployments, specifically SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint 2016. Notably, SharePoint Online, part of Microsoft 365, is unaffected by these exploits.
Scope and Impact of the Attacks
Since at least July 7, 2025, active exploitation has been observed, with over 75 confirmed compromises across a spectrum of sectors—banks, universities, hospitals, government agencies, and large corporations in North America and Europe. Emerging reports estimate that the true scale is likely much broader due to the ease of leveraging these flaws in unpatched systems. Affected organizations have included high-profile institutions such as the U.S. National Nuclear Security Administration.
Cybersecurity authorities warn that the attack wave is ongoing. Check Point Research identified coordinated compromise attempts using three primary IP addresses, with at least one having previous ties to other major enterprise application exploits. Advanced threat actors employ sophisticated, multi-stage approaches: initial compromise is followed by the deployment of persistence mechanisms, access key theft, and lateral movement within the victim’s network environment.
Attribution and Threat Actor Activity
Forensic investigations implicate several Chinese nation-state groups, notably Linen Typhoon and Violet Typhoon, in high-value targeting. In parallel, another China-based actor labeled Storm-2603 has weaponized the vulnerabilities to distribute the Warlock ransomware, impacting both private sector and government victims. Technical evidence includes shared command-and-control infrastructure and artifacts indicating tailored exploitation capabilities adapted to bypass SharePoint’s intrinsic security controls.
Response and Mitigation
Both Microsoft and government agencies, including CISA, have released urgent guidance, advising immediate patch installation and intensive network monitoring for indicators of compromise. Microsoft addressed these vulnerabilities during the July Patch Tuesday release, but warnings persist as many organizations may be slow to update, leaving them vulnerable to emerging attacks.
Security experts emphasize that unpatched SharePoint servers provide not only direct data theft opportunities but also pathway access to wider Office 365 and enterprise infrastructure, raising the risk of supply chain compromise and persistent intrusions. A coordinated response—with prioritized patching, incident detection, and post-compromise remediation—is recommended.
Potential Implications for the Broader Cybersecurity Landscape
The SharePoint vulnerabilities and their rapid weaponization mark another escalation in large-scale exploitation of enterprise software. The prevalence of on-premises solutions and gaps in patch management continue to provide lucrative entry points for adversaries. This episode demonstrates that cloud-based alternatives may offer improved security postures through centralized update mechanisms, but hybrid environments remain at risk unless robust patch procedures are enforced throughout the organization.