“Urgent and radical”, Microsoft SharePoint has been hacked: governments and more than 50 companies are affected … and it’s not over

In the world of cybersecurity. For example, we speak of a “zero-day” attack, when it occurs before the victim is aware of the vulnerability and that a fix is available. In addition,

So when the victim is called Microsoft SharePoint. In addition, a tool used by more than 50,000 companies in more than 124 countries, it creates a few swirls.

Alerted from July 18 thanks to a report from the Dutch cybersecurity firm Eye Security. For example, Microsoft teams have already issued partial emergency fixes.

Bearing the sweet “urgent radical”, microsoft sharepoint been name of CVE-2025-53770. Therefore, CVE-2025-53771, these flaws would have enabled cybercriminals to compromise many strategic networks. Similarly, Among the targets discovered: American universities. Meanwhile, energy operators, federal health institutions, AI and Fintech societies, as well as major government entities in North America and Europe.

Charles Carmakal, CTO of the cybersecurity giant Mandiant Consulting, judges the report of Microsoft “urgent and radical”.

"urgent radical", microsoft sharepoint been – "urgent radical", microsoft sharepoint been

CVE-2025-53770, CVE-2025-53771, what is it concretely?

The two vulnerabilities at the heart of this case affect several versions of SharePoint Server (2016. 2019 and Subscription Edition) when installed on site.

Unlike SharePoint Online. integrated into Microsoft 365 and hosted in the cloud, these servers depend on the local management of updates by administrators and are therefore “urgent radical”, microsoft sharepoint been exposed to additional risks.

The first fault. allows the attacker to deceive the server to bypass his protections and take total control from it, without the need for password. Thanks to this vulnerability. the attacker can, via the Internet, send trapped data which let him execute all kinds of malicious orders.

The second fault. it affects file access and can allow the hacker to submit dangerous files or to enter areas normally prohibited from the server.

Concretely, how is it going? Well, the attack generally starts with sending the server of a trapped file to the “Spinstall0.aspx”, without lifting the usual safety checks. The file objective: stealing the cryptographic keys of the server (such as validationkey. DecryptionKey), which are used to secure all exchanges and access to data.

Once in possession of these keys. the pirate can make legitimate false access: he pretends to be an authorized user and “urgent radical”, microsoft sharepoint been has a free field to spy, steal, modify documents or sabotage the operation of the server, often without being detected.

How to protect yourself if you think you are concerned?

Faced with the rapid propagation of attacks. Microsoft has disseminated instructions to be taken in emergency: compulsory activation of the Antimalware Scan Interface (AMSI) on SharePoint servers, recommendations to change cryptographic keys server after installation of updates.

Two safety patches are already available:

In the United States. the CISA, an American cybersecurity agency, has registered CVE-2025-53770 and CVE-2025-53771 in its official catalog of the vulnerabilities exploited and imposed a maximum correction window of 24 hours for all the federal administrations concerned.

In France. the CERT-FR under control of the ANSSI calls to carefully follow the instructions of Microsoft and asks to isolate immediately any server exposed to the Internet and not having undergone any fix.