Government entities and businesses are under siege by digital intruders, as hackers launch coordinated attacks to steal sensitive information.
A new vulnerability in Microsoft's SharePoint software has been discovered, potentially exposing authorities and companies to hacker attacks. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the issue, which has been exploited by attackers on servers of two federal agencies in the US, according to the "Washington Post".
The vulnerability, tracked as CVE-2025-53770 (also known as "ToolShell"), affects local servers used for file sharing via SharePoint. This software is commonly used for managing and sharing documents, creating corporate websites, real-time collaboration, and user permission control.
Security researchers and threat intelligence groups, including Google’s Threat Intelligence Group, have confirmed that the flaw is being exploited to install webshells and exfiltrate cryptographic secrets, enabling persistent, unauthenticated access. The nature of the flaws—remote code execution via deserialization of untrusted data—means any organization running a vulnerable, internet-exposed SharePoint Server is at high risk, irrespective of sector.
As of now, there is no publicly available attribution naming the specific hacker group, nation-state actor, or criminal organization behind the mass exploitation. The attacks are described as "active, large-scale" and are likely opportunistic, targeting vulnerable on-premises SharePoint Server installations rather than specific industries or agencies.
No specific US government agencies or companies have been named as confirmed victims. The reports mention that over 75 organizations globally have been breached, but do not specify which US authorities or companies are among them. The confirmed victim count is fluid, with one source reporting 54 victims at a point in the campaign. These numbers are likely to increase as investigations continue.
Microsoft is preparing a patch for CVE-2025-53770, but as of July 21, 2025, a comprehensive update is not yet available. Immediate mitigation advice includes disconnecting affected SharePoint servers from the internet until patched and closely monitoring for signs of compromise, especially the installation of webshells and unexpected cryptographic activity.
A manager at the security firm Crowdstrike has stated that the vulnerability in SharePoint is significant, while Eye Security recommends isolating or shutting down SharePoint servers due to attacks on "thousands" of servers. The Dutch company also warned about the potential theft of digital keys for future access.
In the past, suspected Chinese hackers gained access to emails in some US agencies via a vulnerability in Microsoft software in 2023. However, the identity of the attackers behind the SharePoint vulnerability remains unclear.
Microsoft has confirmed the problem and released updates to fix the security gap in SharePoint. It is crucial for all organizations, including authorities and enterprises, to treat this as an urgent security incident until patches are applied.
- Despite the General News about the newly discovered vulnerability in Microsoft's SharePoint software, Microsoft is currently preparing a patch for CVE-2025-53770, known as "ToolShell."
- With data-and-cloud-computing services like SharePoint often used for managing and sharing documents, the cybersecurity implications are significant, as the vulnerability allows for remote code execution via deserialization of untrusted data.
- In light of the cybersecurity concern posed by the exploitation of this vulnerability, it is important for both authorities and enterprises to follow Microsoft's immediate mitigation advice, such as disconnecting affected SharePoint servers from the internet and monitoring for signs of compromise until patches are applied.
