Hackers have broke into 85 SharePoint servers worldwide. They hit multinational corporations, government agencies, and banks across the US, Germany, France, and Australia.

Microsoft confirmed active exploitation of CVE-2025-53770, a critical zero-day vulnerability with a CVSS score of 9.8. As of posting, Microsoft have no patch ready.

Unknown attackers exploited a "significant vulnerability" in Microsoft's SharePoint collaboration software, hitting targets around the world.

If your business documents, financial records, and internal communications sit on SharePoint, those files face immediate risk. In this article, we will break down that risk into laymen terms and provide some insight on immediate steps to mitigate.

The risk to this zero day exploit

CVE-2025-53770 stems from SharePoint's deserialising of untrusted data and can lead to unauthenticated remote code execution with no user interaction required. In other words, hackers can break into your SharePoint server without needing passwords, usernames, or any credentials.

The vulnerability affects three SharePoint versions:

• Microsoft SharePoint Enterprise Server 2016

• Microsoft SharePoint Server 2019

• Microsoft SharePoint Server Subscription Edition

SharePoint Online in Microsoft 365 is not vulnerable. If you use SharePoint through Office 365, you're safe. But if your company runs SharePoint on its own servers, you face serious danger.

Eye Security discovered that within hours of detecting the initial compromise, they pinpointed more than dozens of servers compromised "using the exact same payload at the same filepath". Hackers aren't targeting individual companies. They're running automated attacks against thousands of SharePoint servers globally.

This falls squarely under technological risk. The zero-day flaw has been described as a variant of CVE-2025-49706, a spoofing bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday updates. Even Microsoft's recent security patches didn't stop this new attack method.

You should be concerned if...

Your company runs on-premises SharePoint servers: Tens of thousands of these servers are at risk, experts said, and Microsoft has issued no patch for the flaw, leaving victims around the world scrambling to respond.

You should act immediately if you:

• Host SharePoint on your own servers or data centres.

• Use SharePoint for document management, project collaboration, or file sharing.

• Store sensitive business data, customer information, or financial records on SharePoint.

• Rely on SharePoint for daily business operations.

Pete Renals, a senior manager with Palo Alto Networks' Unit 42, said

We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available. We have identified dozens of compromised organisations spanning both commercial and government sectors.

The attack doesn't require insider access. Attackers can execute code remotely, bypassing identity protections such as MFA or SSO. Your multi-factor authentication and single sign-on security measures won't protect you.

What are the disruption risks?

Business Interruption and Data Theft

• Once inside, attackers can access all SharePoint content, system files, and configurations and move laterally across the Windows Domain. They don't just steal files. They take control of your entire SharePoint environment and potentially your broader network.

Financial Loss and Operational Standstill

• The malicious activity essentially involves delivering ASPX payloads via PowerShell, which is then used to steal the SharePoint server's MachineKey configuration, including the ValidationKey and DecryptionKey, to maintain persistent access. This means hackers can return to your systems even after you think you've secured them.

Reputational Damage and Legal Consequences

• SharePoint typically stores your most sensitive business documents. Customer contracts, financial reports, strategic plans, and employee records all live there. A breach exposes this information and damages your reputation with clients and partners.

Long-term Security Concerns

• watchTowr CEO Benjamin Harris explained: "With these keys in hand, attackers can craft forged __VIEWSTATE payloads that SharePoint will accept as valid—enabling seamless remote code execution. This approach makes remediation particularly difficult—typical patch would not automatically rotate these stolen cryptographic secrets leaving organisations vulnerable even after they patch".

Even when Microsoft releases a patch, your company remains vulnerable. Hackers steal cryptographic keys that let them maintain access to your systems.

Preventative actions you can take right now

Immediate Steps You Must Take Today

1. Microsoft says that customers running on-premises SharePoint Servers can stop attackers from exploiting the vulnerability by configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers.

2. Enable AMSI integration immediately. AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. Check your SharePoint version and confirm AMSI runs properly.

3. If you can't enable AMSI right now, disconnect your SharePoint server from the internet. Microsoft recommends: "If enabling AMSI is not an option, you should remove access to the internet from the SharePoint server".

Detection and Monitoring

1. Defenders should look, at minimum, for the creation of spinstall0.aspx, which indicates successful post-exploitation of CVE-2025-53770. Search your SharePoint servers for this file immediately.

2. Deploy Microsoft Defender for Endpoint on all SharePoint servers. Set up comprehensive logging to identify exploitation activity. Monitor for suspicious POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit.

Business Continuity Planning

1. Review your SharePoint backup procedures. Ensure you can restore clean versions of your SharePoint environment if hackers compromise your systems. Test your backup restoration process this week.

2. Document your SharePoint dependencies. Identify which business processes stop working if SharePoint goes offline. Prepare alternative collaboration methods for your teams.

Long-term security strategy

Consider migrating to SharePoint Online if you currently use on-premises servers. SharePoint as part of Microsoft 365 (SharePoint Online) is not vulnerable. Cloud-based SharePoint receives automatic security updates and doesn't face this specific threat.

Review your third-party software security regularly. This SharePoint vulnerability shows how quickly new attack methods emerge. Build security assessments into your monthly business reviews.

The SharePoint crisis demonstrates that even patched, up-to-date systems face new threats daily. Your business can't wait for perfect security solutions. Take action now to protect your data and operations from this ongoing attack campaign.

Concerned about this threat? You can book time with one of our Advisors today to discuss. Book 30 minutes with us, free ↗

Sources & additional resources

SharePoint zero day exploited, governments hit, no patch yet | The Stack | July 20, 2025

Microsoft SharePoint servers under attack via zero-day vulnerability with no patch (CVE-2025-53770) | Help Net Security | July 20, 2025

Critical Unpatched SharePoint Zero-Day Actively Exploited, Breaches 75+ Company Servers | The Hacker News | July 20, 2025

Customer guidance for SharePoint vulnerability CVE-2025-53770 | Microsoft Security Response Center | July 20, 2025

Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770) | CISA | July 20, 2025

SharePoint Under Siege: ToolShell Mass Exploitation (CVE-2025-53770) | Eye Security | July 19, 2025

Global hack on Microsoft product hits U.S., state agencies, researchers say | The Washington Post | July 20, 2025