Microsoft SharePoint vulnerability puts critical servers at risk

A newly discovered zero-day exploit targeting Microsoft SharePoint servers is being actively used by hackers, putting thousands of on-premises systems at immediate risk. The vulnerability allows attackers to steal credentials and gain unauthorized access, even after a server has been rebooted or patched. While Microsoft has issued urgent security alerts and patches for certain versions, the scale of this exploit has raised serious concerns across both the public and private sectors. This blog explains what the Microsoft SharePoint vulnerability is, who is affected, and how to protect your systems.

How the Microsoft SharePoint vulnerability was discovered

The flaw was first detected by cybersecurity researchers at Eye Security on July 18, 2025. It impacts specific on-premises versions of SharePoint and lets attackers impersonate users or services, even post-reboot. Researchers believe this exploit evolved from two separate bugs initially showcased during May’s Pwn2Own hacking contest. Once inside, hackers can harvest sensitive data, steal passwords, and move laterally across a network—especially concerning since SharePoint often links directly to tools like Teams, Outlook, and OneDrive.

Scope and severity of the Microsoft SharePoint vulnerability

This isn’t just a hypothetical threat. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that government agencies, universities, and even critical infrastructure—like energy companies—have already been attacked. Reports also indicate an Asian telecom company has been compromised. While Microsoft has released patches for SharePoint 2019 and the Subscription Edition, SharePoint 2016 remains vulnerable, pending an official fix. Until then, experts recommend disconnecting affected servers from the internet to prevent further breaches.

How to respond to the Microsoft SharePoint vulnerability

If you manage on-premises SharePoint servers, immediate action is crucial. Apply all available Microsoft security patches, conduct forensic scans to detect suspicious activity, and disconnect exposed servers from public networks where possible. While cloud-based SharePoint environments remain safe, hybrid environments should still be reviewed for any indirect risks. The best defense right now is a combination of prompt patching, strong monitoring, and reducing your attack surface until Microsoft issues a universal fix.