SharePoint assault affects a restricted number of UK businesses, while the influence expands globally, according to the National Cyber Security Centre.
In a recent development, a zero-day vulnerability affecting Microsoft's SharePoint has been actively exploited since early July 2025. The vulnerability, involving multiple CVEs such as CVE-2025-49704, CVE-2025-49706, and CVE-2025-53770, has been targeted by sophisticated threat actors, including Chinese state-aligned groups.
The Cybersecurity and Infrastructure Security Agency (CISA) has been alerted to the zero-day vulnerability by a trusted partner and has reached out to Microsoft for assistance. Microsoft, in response, has indicated that the patches for the new vulnerability, CVE-2025-53770, include more "robust protections" than the July update for the previous vulnerability CVE-2025-49704.
It is important to note that SharePoint Online in Microsoft 365 isn't impacted by the zero-day flaw. However, the attacks are global and have been most notably concentrated in North America and Western Europe, targeting government agencies, telecommunications, and software industries.
U.S. federal government agencies like the Department of Homeland Security (DHS) and several others have been compromised, and similar breaches have been reported in allied countries such as Canada and Australia. The attacks allow for remote code execution, establish persistent access, and extract cryptographic keys, according to cybersecurity firm Rapid7.
Organizations are strongly advised to apply Microsoft’s emergency patches immediately to mitigate ongoing exploitation. A security expert, Michael Sikorski, advises any unpatchable systems to be disconnected from the internet in the meantime. In the UK, the National Cyber Security Centre (NCSC) has detected a limited number of British victims and advises any UK companies compromised by the flaw to report it to the agency.
The NCSC's new Vulnerability Research Initiative has been welcomed by the industry, but concerns have been raised about whether it goes far enough. It remains unclear who is behind the attack, but multiple groups of hackers are now using the vulnerability, according to Charles Carmakal, CTO at Google-owned Mandiant Consulting.
Microsoft has warned organizations running on-prem SharePoint servers to take immediate action, apply all relevant patches, rotate all cryptographic material, and engage professional incident response. The attack using the SharePoint zero-day vulnerability appears to be targeted and deliberate, according to Rapid7.
In light of these developments, it is crucial for organizations to prioritize the security of their SharePoint servers and to stay vigilant against potential threats.
- The Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies, such as the National Cyber Security Centre (NCSC), are advising organizations to prioritize their cybersecurity, particularly in regards to SharePoint servers, given the current zero-day vulnerability affecting Microsoft's infrastructure that has been targeted by sophisticated threat actors.
- In response to the ongoing exploitation of a zero-day vulnerability in Microsoft's SharePoint, organizations are being urged to apply emergency patches to their technology, including robust protections recently provided by Microsoft, to mitigate the risks associated with the cybersecurity breaches that have affected multiple industries, including government agencies, telecommunications, and software industries across North America and Western Europe.
