Microsoft SharePoint Hacking Has Hit More Than 400 Victims, Researchers Warn

A security company said it has found more than 400 systems that were ‘actively compromised during four confirmed waves of attack.’

Mark Us Preferred on Google

Microsoft SharePoint Hacking Has Hit More Than 400 Victims, Researchers Warn — A member of the Red Hacker Alliance who refused to give his real name uses a website that monitors global cyberattacks at its office in Dongguan, Guangdong Province, China, on Aug. 4, 2020. Nicolas Asfouri/AFP via Getty Images

Jack Phillips

Breaking News Reporter

7/23/2025|Updated: 7/23/2025

0:00

A major hacking campaign against Microsoft’s SharePoint server software has attacked more than 400 victims, according to researchers at Netherlands-based Eye Security.

In an update issued on July 23, Eye Security said that “before this vulnerability was widely known last Friday, our team scanned over 23,000 SharePoint servers worldwide” and in all, the company found more than 400 systems that were “actively compromised during four confirmed waves of attack.”

The sabotage, it said, started on July 17, with more occurring on July 18, July 19, and July 21. In one of the attacks, “a public proof-of-concept ... exploit script” was uploaded to the popular code-sharing website Github, it said.

The details of most of the victim organizations have not been fully disclosed. Eye Security did not name them, and it did not identify where the attacks had originated.

On Saturday, Microsoft issued an alert to customers saying it was aware of the zero-day exploit being used to conduct attacks and that it was working to patch the issue.

A zero-day exploit is a cyberattack that takes advantage of a previously unknown vulnerability. “Zero-day” refers to security engineers having had zero days to develop a fix for it.

Microsoft updated its guidance on Sunday with instructions to fix the problem for SharePoint Server 2019 and SharePoint Server Subscription Edition. Engineers were still working on a fix for the older SharePoint Server 2016 software.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the exploit affecting SharePoint is “a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations with on-premise SharePoint servers.”

CISA warned that the impact could be widespread and recommended that any servers impacted by the exploit should be disconnected from the internet until they are patched.

Meanwhile, a senior employee at Google’s Threat Intelligence Group warned on social media earlier this week that the Microsoft vulnerability may allow bad actors to “bypass future patching.”

On July 22, Microsoft said that Chinese regime-linked hacking groups have already exploited the security flaw, with “two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities targeting internet-facing SharePoint servers.”

At the same time, it added, “another China-based threat actor, tracked as Storm-2603,” was observed exploiting vulnerabilities in its SharePoint software. The post suggested that more attacks are likely.

“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” said the Redmond, Washington-based company.

Microsoft, which also makes the widely used Windows operating system, advised SharePoint customers and administrators to upgrade their server software with the latest security patches. It also advised that users enable Microsoft software such as Defender Antivirus and its Antimalware Scan Interface, or equivalent programs.

The announcement comes just months after the U.S. Department of Justice said it indicted two Chinese nationals accused of operating in the APT27 hacking group and alleged to have targeted U.S. companies, local government systems, and other institutions.

The Associated Press contributed to this report.

We had a problem loading this article. Please enable javascript or use a different browser. If the issue persists, please visit our help center.