Summary:
- Hackers are exploiting a previously unknown vulnerability in Microsoft SharePoint servers used by businesses and government agencies.
- The FBI and Microsoft are collaborating with cybersecurity agencies to address the “zero-day” threat.
- Microsoft urges organizations to apply security updates immediately or disconnect vulnerable servers from the internet.
Zero-Day Flaw Exposes Tens of Thousands of Servers
Microsoft has issued an urgent alert warning of “active attacks” targeting its SharePoint server software used by businesses and government agencies for internal document sharing, prompting immediate defensive measures across sectors.
The attacks exploit a “zero-day” vulnerability—meaning a flaw unknown to the software maker before exploitation—placing tens of thousands of on-premises SharePoint servers at risk globally.
While Microsoft’s cloud-based SharePoint Online service in Microsoft 365 is unaffected, the threat extends to government agencies, universities, healthcare systems, and corporations relying on local servers for collaboration.
In its alert, Microsoft stated the flaw allows “an authorized attacker to perform spoofing over a network,” enabling hackers to disguise themselves as trusted users or systems to gain deeper network access. Once inside, attackers can exfiltrate sensitive data, deploy persistent backdoors, and steal cryptographic keys, according to cybersecurity experts.
Michael Sikorski, CTO and Head of Threat Intelligence at Palo Alto Networks, emphasized the seriousness of the breach, noting attackers are bypassing identity protections such as multi-factor authentication and single sign-on to gain privileged access. “A compromise doesn’t stay contained—it opens the door to the entire network,” Sikorski warned.
Immediate Action Urged as FBI Joins Response
The FBI confirmed it is aware of the attacks and is working closely with federal and private-sector partners to address the threat, though it provided no additional details. The US Cybersecurity and Infrastructure Security Agency also acknowledged the vulnerability, warning it allows hackers to access file systems, internal configurations, and execute code remotely.
Cybersecurity analysts cautioned that attackers could use the flaw to infiltrate a wide range of organizations, with Silas Cutler of Censys describing the vulnerability as “a dream for ransomware operators.”
Cutler noted that more than 10,000 companies globally, including many in the US, UK, Netherlands, and Canada, could be affected. In response, Microsoft has released a critical security patch for affected SharePoint servers and advised customers to apply it immediately.
If organizations are unable to deploy recommended protections, Microsoft advises disconnecting vulnerable servers from the internet until patches can be applied to prevent exploitation.
The Washington Post, which first reported the attacks, indicated that US federal and state agencies, energy companies, universities, and at least one Asian telecommunications firm have been targeted in recent days.
This incident follows a series of high-profile cybersecurity challenges for Microsoft. In March, the company reported Chinese hackers were targeting cloud applications and remote management tools for espionage. Last year, the White House’s Cyber Safety Review Board criticized Microsoft’s security practices as “inadequate” after a breach compromised the email accounts of government officials.
As the investigation unfolds, Microsoft’s latest breach underscores the persistent vulnerabilities in critical infrastructure and highlights the importance of proactive cybersecurity measures. Organizations using on-premises SharePoint servers are urged to prioritize immediate updates to protect against potential data breaches and operational disruptions amid rising global cyber threats.