Microsoft warns of 'active attacks' on its government and business server tech, with one cybersecurity expert claiming that they should 'assume that you have been compromised'
I can't remember ever liking the sound of the phrase "active attacks", least of all when it's concerning software used by governments. Something about it just rings stomach-droppingly scary, but that might just be me. So, kindly share some mild terror with me as I pass on the message that was generously passed on to me by Reuters: Over the weekend, Microsoft warned of "active attacks targeting on-premises SharePoint Server customers."
According to Reuters, the FBI is aware of the attacks and is "working closely with its federal and private-sector partners." Microsoft is also reportedly working with CISA, DoD Cyber Defense Command, and "key cybersecurity partners." That such a range of bigwigs are on the case is somehow equally comforting and worrying—comforting that they're on it, and worrying that the problem's big enough that they have to be.
SharePoint is a server-based content and document management system, usually used for organisations' internal websites, social media, documentation, and so on. These attacks are exploiting two newly discovered vulnerabilities in SharePoint Server.
While you don't need to be concerned if you use SharePoint Online in Microsoft 365, as Microsoft says this isn't impacted, what's worrying is that on-premises SharePoint servers—which the vulnerabilities in question do apply to—are used by lots of big organisations and also by governments, including in the US.
The two zero-day vulnerabilities (ie, previously unknown vulnerabilities), CVE-2025-53770 and CVE-2025-53771, if exploited, allow an attacker to "execute code over a network" or "perform spoofing over a network", respectively.
CISA (Cybersecurity and Infrastructure Security Agency) explains a little more about the vulnerability: "This exploitation activity, publicly reported as 'ToolShell,' provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network."
Thankfully, Microsoft has already issued an update to fix these vulnerabilities: "Customers using SharePoint Subscription Edition should apply the security update provided in CVE-2025-53771 immediately to mitigate the vulnerability." And if customers are using SharePoint 2016 or 2019, they should upgrade and then apply the update.
That being said, it's difficult to say (or to know) what damage might already have been done. Cybersecurity threat research team Palo Alto Networks Unit 42 reportedly (via The Hacker News) explained in further detail the kinds of things this exploit has allowed:
"Attackers are bypassing identity controls, including MFA and SSO, to gain privileged access … Once inside, they're exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys. The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold."
The cybersecurity expert continues: "If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point. Patching alone is insufficient to fully evict the threat.
"What makes this especially concerning is SharePoint's deep integration with Microsoft's platform, including their services like Office, Teams, OneDrive and Outlook, which have all the information valuable to an attacker. A compromise doesn't stay contained—it opens the door to the entire network."
Quick though Microsoft's response may have been, we'll have to wait and see what the true impact has been once the dust settles.