In July 2025, Microsoft SharePoint became the epicenter of a massive cyberattack campaign that has shaken governments, corporations, and cybersecurity experts worldwide. A critical zero-day vulnerability, CVE-2025-53770, was exploited and allowed hackers to execute remote code on unpatched SharePoint servers.
The Vulnerability: CVE-2025-53770
With a CVSS score of 9.8, this flaw stems from the deserialization of untrusted data in on-premises SharePoint servers. This gives the attackers the ability to bypass authentication and execute arbitrary commands. This often blends in with legitimate SharePoint activity to evade detection.
Scale of the Breach
Over 400 organizations have been compromised according to security researchers. This includes sensitive government entities like the U.S. National Nuclear Security Administration (NNSA).
The attacks began as early as July 7, 2025, and rapidly escalated. They targeted self-hosted SharePoint servers across sectors such as healthcare, education, finance, and transportation.
From Espionage to Ransomware
These attacks were initially attributed to espionage-focused threat actors, including groups allegedly backed by China. This has since evolved. According to Microsoft and cybersecurity firms, some attackers have transitioned to deploying ransomware, leveraging the same vulnerability to lock down systems and demand payment. This shift marks a dangerous escalation from data theft to operational disruption.
Microsoft’s Response and Mitigation
Microsoft has released emergency patches and advisories. They have also emphasized that SharePoint Online remains unaffected. However, many organizations using on-premises versions were caught off guard, with some still struggling to implement the necessary updates.
Lessons and Outlook
The critical importance of timely patching, endpoint visibility, and layered security defenses are all underscored by this incident. The risks associated with legacy systems and self-hosted infrastructure are also highlighted in an era where cloud-based solutions offer more robust security postures.
As the investigations continue more details emerge, organizations are urged to audit their SharePoint deployments, apply all available patches, and monitor for signs of compromise. These SharePoint hacks serve as a stark reminder that in cybersecurity, vigilance is always essential.