The Microsoft Sharepoint document management service has become the main summer concern in cybersecurity. Although Microsoft has launched this week emergency patches against the critical vulnerabilities observed and has published other mitigations, the security alert is active for the risk for multinationals and government entities where some especially a few Campaigns of active attacks and large scale that have compromised Microsoft servers worldwide and from there business networks.
What happened to Microsoft SharePoint
The case dates back to the last May when in the PWN2Own Hacking Contest in Berlin a group of researchers revealed two Critical vulnerabilities in SharePoint and presented a proof of concept that they defined as ‘Toolshell’ where they showed the possibility of exploiting them. Microsoft was informed of these 0-Day failures, said they were identified, described them as critical gravity and early July launched a series of security patches that have ended up being insufficient.
Last weekend he was alerted to a large -scale cyberattack campaign that had managed to compromise an indeterminate series of Microsoft SharePoint servers with a Toolshell -based exploits chain that managed to avoid published security patches. Vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, are critical because They allow the remote execution of code, impersonation of identities, side attacks on their networks and persistent access.
The number of affected servers has been increasing over the days and is that potentially more than 9,000 online servers of the star service for Microsoft collaboration and documentary management could have been compromised. These servers were in networks that covered Large multinational and critical infrastructure companiesfrom auditors to banks, telecos, health care companies, large industrial companies and also government agencies.
As an example and although there is no knowledge that some sensitive or classified information has been compromised, it should be noted that the National Nuclear Safety Administration of the United States, responsible for maintaining and designing the country’s nuclear weapons arsenal, is among the violated agency, according to Bloomberg information.
Reuters agency says Microsoft knew SharePoint’s security failure, but did not effectively solve it. It is the main conclusion of security experts, including those of the Trend Micro firm, sponsors of the PWN2OWN Hacking event where vulnerabilities were revealed. The participating suppliers were responsible for correcting and revealing security failures “Effectively and timely”they explain. «The patches fail occasionally and this has happened with SharePoint in the past »they clarify.
Microsoft puts China in the Diana
Microsoft has put several groups of computer pirates linked to the Chinese governmentas causes of attacks. Redmond’s firm says that two Chinese state actors, Linen Typhoon and Violet Typhoon, have promoted the campaign, and have also identified a third party, Storm-2603, exploiting these vulnerabilities. Research on groups that are using these exploits are still ongoing.
Google Cloud technology has confirmed that at least one of the groups that had participated in the exploitation had links with China, although it has not been possible to determine whether they were the initial responsible. It must be said that Github was published in Anceto little after Microsoft published the patches, so The exploits chain can be in the hands of many groups of cybercriminals.
The China Embassy in the US responded to the accusations and flatly denied any implication, describing them even unfounded. In a statement, he emphasized his opposition to these cyberdelites and said: «China firmly opposes all forms of cyber attacks and cyber crimes. At the same time, we also firmly oppose others without solid evidence ».
Solutions for SharePoint
Microsoft has published this week emergency security patches that promise to correct the commented vulnerabilities. We must emphasize that they are from Local SharePoint Servers Applicationsince the online version of the service present in the Microsoft 365 suite has not been affected:
For SharePoint servers that currently do not have a patch or cannot apply it immediately, Microsoft recommends another type of Additional mitigationsinsisting that customers must install the latest SharePoint security updates, enable Amsi’s integration in SharePoint and implement defending AV on all servers. It is also recommended to rotate the keys and restart the instances.
CISA, the United States Infrastructure and Cybersecurity Security Agency, has collected the seriousness of the situation by issuing an alert where Microsoft SharePoint has added to its catalog of known exploited vulnerabilities and orders the agencies of the Federal Civil Executive Power (FCEB) to patch the identified vulnerabilities before July 23, 2025.
Maximum alert
The situation remains critical even with security patches. Especially worrying is that vulnerabilities allow attackers to supplant the identity of users or services even after the patches have been installed on SharePoint servers. It has been shown that they can keep access even after organizations believe they are safe, which is especially dangerous.
The rest of proposed solutions either ensure the situation. The Watchtowr Labs security firm has internally devised a method that explodes CVE-2025-53770 in such a way that it avoids the antimalware scan interface (AMSI), a mitigation step out of Microsoft to prevent non-authenticated attacks: «AMSI was never the miraculous solution, and this result was inevitable. However, we are concerned to know that some organizations are opting to ‘enable Amsi’ instead of applying patches. It is a lousy idea ».
The Censys consultancy data shows that there are 9,762 local SharePoint servers onlinealthough it is currently unknown if all are susceptible to vulnerabilities. Since these servers are a lucrative objective for cybercriminals due to the nature of the confidential organizational data they store, it is essential that users act quickly to apply security updates, rotate the keys and restart the instances. Even with all this, the alert continues and is critical.
