Microsoft has patched three critical zero-day SharePoint security flaws that hackers have already exploited to attack more vulnerable organizations. Responding to the exploits, the software giant initially issued fixes just for SharePoint Server Subscription Edition and SharePoint Server 2019, and then eventually rolled out a patch for SharePoint Server 2016 as well.
Designated as CVE‑2025‑53771 and CVE‑2025‑53770, the two vulnerabilities apply only to on‑premises versions of SharePoint, so organizations that run cloud‑based SharePoint Online are unaffected.
Also: I replaced my Microsoft account password with a passkey – and you should, too
Rated as important, CVE‑2025‑53771 is a SharePoint Server spoofing vulnerability, which means attackers can impersonate trusted and legitimate users or resources in a SharePoint environment. Rated as critical, CVE‑2025‑53770 is a SharePoint Server remote code execution vulnerability. With this type of flaw, hackers can run code remotely in a SharePoint environment.
“CVE‑2025‑53770 gives a threat actor the ability to remotely execute code, bypassing identity protections (like single sign‑on and multi‑factor authentication), giving access to content on the SharePoint server including configurations and system files, opening up lateral access across the Windows domain,” Trey Ford, chief information security officer at crowdsourced cybersecurity provider Bugcrowd, told ZDNET.
Together, the two flaws allow cybercriminals to install malicious programs that can compromise a SharePoint environment — and that’s exactly what’s been happening.
State officials and private researchers told The Washington Post that hackers have already launched attacks against US federal and state agencies, universities, energy companies, and others. SharePoint servers have been breached within at least two US federal agencies, according to the researchers. One US state official said the attackers had “hijacked” a collection of documents designed to help people understand how their government works, the Post added.
Alarmingly, even the US National Nuclear Security Administration was breached as a result of the SharePoint vulnerability, according to the Washington Post and other outlets. The NNSA is responsible for ensuring the safety and protection of America’s nuclear stockpile.
The compromise didn’t affect any classified information, a person familiar with the matter told the Post. An NNSA spokesperson also said that the department was minimally impacted as a result of its widespread use of the Microsoft 365 cloud and capable cybersecurity systems. Still, any breach that hits a facility in charge of a nuclear stockpile poses a threat.
“The recent breach of multiple governments’ systems, including the US National Nuclear Security Administration, stemming from a Microsoft vulnerability, is yet another urgent reminder of the stakes we’re facing,” Bob Huber, chief security officer for cybersecurity firm Tenable, said in a comment shared with ZDNET. “This isn’t just about a single flaw, but how sophisticated actors exploit these openings for long-term gain.”
Just who are the hackers behind the attacks?
On Tuesday, Microsoft blamed three Chinese nation‑state actors — Linen Typhoon, Violet Typhoon, and Storm–2603 — for exploiting the SharePoint flaws.
Active since 2012, Linen Typhoon specializes in stealing intellectual property. It mainly targets government, defense, strategic planning, and human rights organizations. The group typically relies on exploiting security vulnerabilities to launch its attacks.
Also: Microsoft rolls out Windows security changes to prevent another CrowdStrike meltdown
In business since 2015, Violet Typhoon focuses on espionage against a range of targets, including former government and military personnel, nongovernmental organizations, think tanks, higher education, digital and print media, financial businesses, and health‑related companies in the US. This group also looks for security vulnerabilities to exploit.
Microsoft said it believes that Storm-2603 is also based in China but hasn’t yet uncovered any links between it and other Chinese hackers. This group has tried to take advantage of the SharePoint vulnerabilities to steal the Windows MachineKeys folder, which stores cryptographic keys.
“The Chinese threat actor groups allegedly behind this attack are known for using stolen credentials to establish persistent backdoors,” Huber said. “This means that even after the initial vulnerability is patched, these attackers can remain hidden inside a network, ready to launch future espionage campaigns. By the time an organization sees evidence of a new intrusion, the damage has already been done.”
In a Wednesday update to its blog post, Microsoft also accused one of the groups of exploiting the zero-day flaws to launch ransomware attacks.
“Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities,” the company said. “Investigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on‑premises SharePoint systems.”
Specifically, Microsoft said that Storm–2603 has conducted attacks using Warlock ransomware, a relatively new strain in which cybercriminals not only encrypt but steal data on a compromised server. Through this double‑extortion tactic, the group can demand ransom to decrypt the data and threaten to release the information publicly unless that ransom is paid.
Why did Microsoft allow these flaws to get so out of hand?
The company tried to fix both the server spoofing vulnerability and the remote code execution vulnerability with its July 8 Patch Tuesday updates via CVE‑2025‑49706, CVE‑2025‑49704, and CVE‑2025‑49701. But apparently the fixes didn’t quite do the trick, as savvy hackers were able to sneak their way around them.
Hopefully the new patches will work this time. In an FAQ, Microsoft said about its cavalcade of CVEs, “Yes, the update for CVE‑2025‑53770 includes more robust protections than the update for CVE‑2025‑49704. The update for CVE‑2025‑53771 includes more robust protections than the update for CVE‑2025‑49706.”
One question is why companies like Microsoft keep exposing their customers to these types of security flaws. One problem lies with the increasing complexity of all the different customer environments.
“Patches are rarely fully comprehensive, and the codebases are both complex and implementations are highly varied,” Ford said. “This is why those test harnesses and regression testing processes are so complicated. In a perfect world, everyone would be running the latest version of code, fully patched. Obviously, this isn’t possible, so feature development must be tested across an exponentially more complicated surface area.”
Also: Can’t upgrade your Windows 10 PC? You have 5 options and 3 months to act – before EOS
Before Microsoft rolled out the new patches on Sunday, security firm Eye Security warned about the SharePoint flaws in a research post on Saturday.
“On the evening of July 18, 2025, Eye Security was the first in identifying large‑scale exploitation of a new SharePoint remote code execution (RCE) vulnerability chain in the wild,” the firm said. “Demonstrated just days ago on X, this exploit is being used to compromise on‑premises SharePoint servers across the world. Before this vulnerability was widely known last Friday, our team scanned more than 8,000 SharePoint servers worldwide. We discovered dozens of systems actively compromised during two waves of attack, on July 18 around 18:00 UTC and July 19 around 07:30 UTC.”
Referring to the security flaw as ToolShell, Eye Security explained how SharePoint environments can be compromised through the attacks.
By bypassing security protections, hackers can execute code remotely, thereby gaining access to SharePoint content, system files, and configurations. Attackers can also steal cryptographic keys, allowing them to impersonate users or services even after the server is patched. Since SharePoint connects to other Microsoft services such as Outlook, Teams, and OneDrive, hackers can move laterally across a network to steal associated passwords and data.
How to fix the security flaws
For organizations that run SharePoint Server, Microsoft has outlined the steps to fix the flaws.
For Microsoft SharePoint Server Subscription Edition, head to this update page to download and install the patch. For Microsoft SharePoint Server 2019, browse to this update page to grab the patch. For Microsoft SharePoint Server 2016, go to this update page for the patch.
Also: How to get free Windows 10 security updates through October 2026: Two ways
How to guard against future attacks
To further safeguard your environment, Microsoft offers the following advice:
- Make sure you’re running supported versions of SharePoint Server.
- Apply the latest security patches, including those from the July Patch Tuesday updates.
- Make sure that the Windows Antimalware Scan Interface (AMSI) is enabled and set up properly with an antivirus product such as Defender Antivirus.
- Install security software such as Microsoft Defender for Endpoint.
- Rotate SharePoint Server ASP.NET machine keys.
Also: Microsoft is saving millions with AI and laying off thousands — where do we go from here?
Ford also offered further advice to organizations with SharePoint servers.
“When running your own services on‑premises, ask if they truly need to be internet exposed or accessible to untrusted parties,” Ford said. “Lowering your attack surface is always wise — minimize the number of hosts and services you have available to public, untrusted users. Hardening, adding the recommended endpoint protections, such as Microsoft’s Antimalware Scan Interface and Defender, for these highly integrated services is key.”
Get the morning’s top stories in your inbox each day with our Tech Today newsletter.
(Except for the headline, this story has not been edited by PostX News and is published from a syndicated feed.)
