Zero-Day Exploit Hits SharePoint Servers: Microsoft Issues Urgent Security Alert, Echoing 2021 Exchange Server Breaches

A newly discovered zero-day vulnerability is being actively exploited against Microsoft SharePoint servers, prompting urgent security alerts and emergency patches from Microsoft. Tracked as CVE-2025-53770, the flaw enables unauthenticated remote code execution and has already compromised hundreds of organizations worldwide—including private companies, government agencies, and critical infrastructure. Security experts liken its severity to the 2021 Exchange Server breaches, warning of widespread risks.

Technical Breakdown: How the Exploit Works

The flaw stems from deserialization of untrusted data in on-premises SharePoint Server installations. Attackers craft a malicious POST request that, when processed by a vulnerable server, executes arbitrary code without authentication. The exploit—dubbed ToolShell—chains previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) to bypass Microsoft’s earlier fixes. Once inside, attackers gain full access to SharePoint content, digital keys, and connected Microsoft apps (Outlook, Teams, OneDrive), escalating risks of data theft and lateral movement.

“This isn’t just about SharePoint—it’s a gateway to an organization’s entire Microsoft ecosystem,”

noted security researchers at Eye Security and Viettel Cyber Security, who first detected mass exploitation over the weekend.

Scope of the Attack: Who’s Affected?

The campaign is global, targeting entities in the U.S., Germany, France, and Australia. Scans by Fofa identified over 200,000 vulnerable servers, with CISA adding the flaw to its Known Exploited Vulnerabilities Catalog—mandating immediate action for U.S. federal agencies.

• Private sector: SMEs to large enterprises using SharePoint for internal data management.
• Government: Multiple federal agencies breached, per The Washington Post.
• Critical infrastructure: Unspecified targets in energy, healthcare, and education sectors.

Recommended Mitigations

Microsoft advises the following steps:

1. Enable Antimalware Scan Interface: Interim protection until patching.
2. Disconnect servers: If patching isn’t immediate, isolate from the internet.
3. Apply emergency updates: Released for most versions, but SharePoint Server 2016 remains unpatched as of Monday.

Echoes of 2021: Lessons Unlearned?

The attack mirrors the 2021 Exchange Server breaches, where zero-days were exploited en masse before patches rolled out. Both incidents underscore the vulnerability of on-premises systems versus cloud alternatives (SharePoint Online remains unaffected).

“The window for exploitation is shrinking, but the consequences remain dire,”

said a Palo Alto Networks’ Unit 42 analyst.

As organizations scramble to mitigate damage, the incident serves as a stark reminder of the persistent gaps in enterprise security—and the high stakes of delayed action.