Industry responds to Microsoft’s SharePoint vulnerability exploitation

While minimally impacted with no evidence of sensitive data being used, the breach indicates the range and seriousness of the flaws.

Here is how the industry has responded:

Michael Sikorski
CTO and head of threat intelligence, Unit 42, Palo Alto Networks

Attackers are bypassing identity controls, including MFA and SSO, to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys. The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold. If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point. Patching alone is insufficient to fully evict the threat.

What makes this especially concerning is SharePoint’s deep integration with Microsoft’s platform, including its services like Office, Teams, OneDrive and Outlook, which [have] all the information valuable to an attacker. A compromise doesn’t stay contained – it opens the door to the entire network.

This is a high-severity, high-urgency threat. We are urging organisations [that] are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response. An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available. A false sense of security could result in prolonged exposure and widespread compromise.

VIEW ALL

Bob Huber
Chief security officer, head of research and president of public sector, Tenable

The recent breach of multiple governments’ systems, including the US National Nuclear Security Administration, stemming from a Microsoft vulnerability, is yet another urgent reminder of the stakes we’re facing. This isn’t just about a single flaw, but how sophisticated actors exploit these openings for long-term gain.

The Chinese threat actor groups allegedly behind this attack are known for using stolen credentials to establish persistent backdoors. This means that even after the initial vulnerability is patched, these attackers can remain hidden inside a network, ready to launch future espionage campaigns. By the time an organisation sees evidence of a new intrusion, the damage has already been done.

This incident highlights a critical limitation of traditional, reactive security. A preventative approach is the only way to effectively reduce cyber risk in the face of such persistent threats. For on-premises software like SharePoint, which is deeply integrated into the Microsoft identity stack, there are multiple points of exposure that need to be continuously monitored in order to know, expose and close critical gaps in cyber defences. Further complicating things, many customers are using Microsoft’s security products to secure Microsoft software, creating a massive single point of failure when these types of credential breaches occur.

Organisations need a unified view of their entire infrastructure, which requires an exposure management platform that can integrate with all of the security tools they already use. This is the only way to see the complex attack paths before they are exploited. Given how deeply embedded Microsoft is within government infrastructure worldwide, this isn’t just a corporate issue – it’s become a matter of national security for dozens of countries and should be considered a top priority to address.

Satnam Narang
Senior staff research engineer, Tenable

The active exploitation of the SharePoint zero-day vulnerability over the weekend will have far-reaching consequences for those organisations that were affected. Attackers were able to exploit the flaw, now identified as CVE-2025-53770, to steal MachineKey configuration details from vulnerable SharePoint Servers, which include both a validationKey and a decryptionKey.

These details can be used by attackers to create specially crafted requests that could be used to gain unauthenticated remote code execution. Organisations that may have been impacted could identify potential exploitation by searching for indicators of compromise, including a file created on the vulnerable servers called spinstall0.aspx, though it may include some other file extension. The attack surface for this vulnerability is large, at over 9,000 externally accessible SharePoint servers, and it is used by a variety of organisations.

Patches have started to roll out late on July 20, including fixes for SharePoint Server 2019 and SharePoint Subscription Edition. A patch for SharePoint Server 2016 is not yet available but is expected to be released soon. We strongly advise organisations to begin conducting incident response investigations to identify potential compromise; otherwise, apply the available patches and review the mitigation instructions provided by Microsoft.

James McQuiggan
Security awareness advocate, KnowBe4

To avoid unnecessary data loss, potential business interruptions, and reputational damage to their brand, CISOs need to review their exposure and assess the mitigation steps available to them.

This is an unpatched vulnerability with confirmed attacks already in progress. Real-world exploitation is underway, which raises the urgency. Organisations need to take immediate mitigation steps to reduce the risk of a data breach by cybercriminals and attackers.

While the vulnerability impacts only SharePoint systems hosted on-prem, the risk is significantly higher if the SharePoint instance is exposed to the internet. That said, even if it’s only accessible within the network, there’s still a risk. The impact might be slower, but if attackers are already inside the network, they can target SharePoint to access sensitive data and gain a deeper foothold.

Organisations should evaluate the business impact of downtime versus the risk of compromise. Access should be limited to essential users only and restricted through VPN. Security operations teams need to increase monitoring of SharePoint activity for any signs of suspicious behaviour. It’s also important to engage cyber security vendors to determine whether they’ve identified any indicators of compromise related to this specific type of attack.

And in a worst-case scenario, isolating the SharePoint server from the internet or even temporarily taking it offline may be the safest move to protect the organisation.