SharePoint Servers Compromised by Hackers, Microsoft Prepares Security Update

Microsoft on Sunday warned of an active and potentially widespread hacking campaign targeting customers running on‑premises SharePoint servers, as the US Cybersecurity and Infrastructure Security Agency (CISA) flagged critical vulnerabilities that allow attackers to access file‑system and execute code remotely.

The vulnerabilities, first identified by Eye Security researchers and later corroborated by demonstrations at the Pwn2Own hacking contest, have prompted Microsoft to release an emergency patch alongside promises of further fixes to secure its document management platform.

Businesses at Risk

Security experts estimate that more than 10 000 organisations worldwide could be exposed to these SharePoint exploits. Silas Cutler of Michigan‑based Censys noted that the United States hosts the largest number of vulnerable on‑premises SharePoint deployments, followed by the Netherlands, the United Kingdom and Canada. “It’s a dream for ransomware operators,” he warned, adding that many threat actors are likely to intensify their efforts over the weekend.

Cybersecurity firms have been quick to sound the alarm. Palo Alto Networks described the attacks as “real, in‑the‑wild and pose a serious threat,” while Google’s Threat Intelligence Group confirmed it had observed exploit attempts allowing “persistent, unauthenticated access,” which could enable hackers to steal encryption keys or implant backdoors that survive system reboots and patches.

Gene Yu, CEO of Singapore’s Blackpanda, emphasised the stakes: “When they’re able to compromise the fortress that is SharePoint, everybody is at their whim.”

Reports from The Washington Post suggest that US federal and state agencies, universities, energy firms and an Asian telecom operator have already seen intrusions.

In response, Microsoft has urged customers to apply its newly issued patch immediately and is convening weekly security reviews with senior executives, a move underscoring the company’s intensified focus on hardening its software after a series of high‑profile breaches.

In March, Microsoft disclosed that Chinese state‑sponsored hackers were exploiting remote management tools and cloud applications to spy on American organisations, and a 2024 White House Cyber Safety Review Board report lambasted the company’s security culture as “inadequate” following breaches of Exchange Online mailboxes.

Eye Security’s analysis revealed that the vulnerability can be weaponised not only to access user files but also to exfiltrate service credentials, allowing attackers to impersonate users or services even after the server is ostensibly secured.

The exploit surfaced when researchers noticed suspicious activity mirroring exploits demonstrated by Germany’s Code White team at Pwn2Own earlier this year.

Microsoft declined further comment beyond its public advisory, but its rapid patch deployment, and the ongoing development of additional security updates, reflects the urgent need to protect the vast ecosystem of SharePoint users.

As the patch rollout continues, organisations are advised to audit their on‑premises deployments, apply fixes without delay, and monitor for unusual file‑system or network activity to guard against further compromise.