A global cyberattack exploiting a previously unknown “zero-day” vulnerability in Microsoft SharePoint on-premises servers is believed to be the work of a single actor, according to Reuters’ latest report. Thousands of businesses, government agencies, and other organizations are now vulnerable.
Microsoft issued a critical alert about “active attacks” on software used by government agencies and businesses for sharing documents on Saturday. The company recommended security updates for customers to use. The FBI stated that it was aware of the attacks, and was actively working with its federal and private-sector partners.
“We’ve been coordinating closely with CISA, DOD Cyber Defense Command and key cybersecurity partners globally throughout our response,” a Microsoft spokesperson said, adding that the company had issued security updates and urged customers to install them immediately. The company also said that the vulnerabilities apply only to SharePoint servers used within organizations, and that SharePoint Online in Microsoft 365, which is in the cloud, was unaffected.
READ: Replit partners with Microsoft through Azure (July 9, 2025)
Cybersecurity firm Sophos reported, verified by Reuters, that attackers used the same payload across all targeted servers, highlighting a coordinated effort likely managed by one actor. There are more than 8,000 susceptible servers around the world, including those belonging to industrial companies, banks, healthcare providers, and both state and international governments.
Microsoft has released security patches and urged customers to apply them immediately. However, experts warn that patching alone isn’t enough; organizations should assume their servers have already been compromised and take comprehensive response measures
“While the scope and impact continue to be assessed,” CISA Acting Executive Assistant Director for Cybersecurity Chris Butera said in a statement, “the new common vulnerabilities and exposure (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations with on-premise SharePoint servers.” The statement also said that CISA was “made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action.”
“Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations,” Butera added.
Cybersecurity firms have warned that a broad section of organizations may be affected by the breach. Numerous businesses and institutions worldwide use SharePoint to store and collaborate on documents. Microsoft said hackers are specifically targeting clients running SharePoint servers from their own on-premise networks, rather than being hosted and managed by the tech firm. That could limit the impact to a subsection of customers.
READ: Microsoft signs deal with Vaulted Deep to offset carbon emissions (July 18, 2025)
These attacks were first reported by the Washington Post, which said that unidentified actors in the past few days had exploited a flaw to launch an attack that targeted U.S. and international agencies and businesses. The newspaper said, quoting experts, that the hack is known as a “zero day” attack because it targeted a previously unknown vulnerability. Microsoft said that a vulnerability allows an authorized attacker to perform spoofing over a network. issued recommendations to stop the attackers from exploiting it. Spoofing is the act of disguising a communication or identity so that it appears to be associated with a trusted, authorized source.
Microsoft had earlier stated that it is working on updates to 2016 and 2019 versions of SharePoint. If customers cannot enable recommended malware protection, they should disconnect their servers from the internet until a security update is available, it added.