Cybersecurity researchers have confirmed that a zero-day vulnerability in Microsoft SharePoint has been exploited by hackers to breach at least 400 organizations worldwide. The bug, now tracked as CVE-2025-53770, allows attackers to execute malicious code remotely, granting them access to sensitive files and internal systems.
🔍 Discovered by Eye Security
Dutch cybersecurity firm Eye Security first discovered the vulnerability last week. Upon scanning the internet, they found hundreds of vulnerable SharePoint servers, a sharp increase from the initial handful reported earlier in the week.
Eye Security’s analysis suggests that attacks began as early as July 7, targeting companies and government agencies that use self-hosted SharePoint servers.
🏛️ U.S. Government Agencies Among Those Breached
One of the most high-profile victims is the National Nuclear Security Administration (NNSA), the U.S. federal agency responsible for managing nuclear weapons. The Department of Energy confirmed the breach, stating that only a “very small number of systems” were affected.
Multiple other U.S. government departments were also compromised, although details remain limited due to national security concerns.
🔐 CVE-2025-53770: What You Need to Know
- Name: CVE-2025-53770
- Type: Zero-Day Remote Code Execution (RCE)
- Affected Software: Microsoft SharePoint (Self-hosted versions)
- Impact: Full remote access to SharePoint files and potential access to internal networks
- Mitigation: Microsoft has released security patches for:
- SharePoint Subscription Edition
- SharePoint Server 2019
✅ SharePoint Online (Microsoft 365) is not affected.
🌐 Attribution and State-Sponsored Concerns
Both Google and Microsoft have attributed the ongoing attacks to China-backed threat actors. Though the Chinese government has denied involvement, cybersecurity experts caution that more hacker groups may exploit the vulnerability now that it’s public.
This mirrors previous patterns where nation-state actors rapidly moved to weaponize exposed software flaws in government infrastructure and large enterprises.
⚠️ Why This Matters
This breach follows a series of high-profile cyberattacks targeting Microsoft platforms. Most notably, a 2023 report by the U.S. Cyber Safety Review Board criticized Microsoft for a “cascade of security failures”, including negligence that allowed Chinese hackers to breach U.S. government email accounts.
Adding fuel to the fire, a recent ProPublica investigation revealed that Chinese engineers had access to sensitive Defense Department systems through Microsoft projects, often with minimal oversight from U.S. personnel with proper security clearance.
🛡️ Microsoft’s Response and Path Forward
Microsoft has acknowledged its security shortcomings in past congressional hearings. Company President Brad Smith admitted that the company “must do better” in protecting customers and government infrastructure from foreign cyber threats.
The company urges all affected organizations to:
- Immediately install available patches
- Disable internet exposure of on-premises SharePoint servers
- Monitor systems for unusual behavior or unauthorized access
The FBI also confirmed it’s working closely with federal and private sector partners to respond to the breach.
🧩 Final Thoughts
The CVE-2025-53770 SharePoint vulnerability highlights the persistent and evolving threats to critical IT infrastructure — especially as zero-day attacks become more frequent and more sophisticated.
Organizations running on-prem SharePoint instances should act quickly to patch vulnerable systems and reassess their cybersecurity posture, especially in the wake of nation-state cyber threats.