A widespread cyber-espionage campaign that exploited Microsoft SharePoint servers has reportedly hit nearly 400 organisations, says a Reuters report. The figure, shared by researchers at Dutch firm Eye Security , is based on digital traces found on exposed servers. This marks a sharp increase from roughly 100 victims identified last week and researchers believe the true damage is likely much greater.
Zero-day vulnerability in Microsoft SharePoint servers
The campaign takes advantage of a serious, unpatched vulnerability in on-premise SharePoint (CVE‑2025‑53770 and CVE‑2025‑53771). It allows attackers to take full control of servers, steal cryptographic keys, install hidden backdoors, and maintain access even after patching.
The campaign has struck various sectors, including government, healthcare, finance, education, and manufacturing. Hundreds of servers globally remain exposed—Eye Security’s scan covered over 8,000 internet-connected SharePoint servers.
On July 18, researchers at Eye Security first noticed the exploit in action. Within hours, scans of Germany, US, and global servers revealed dozens of compromised systems using the same malicious payload. Their initial findings estimated around 100 victim organizations, but follow-up scans expanded the count to nearly 400.
The Reuters report quotes Vaisha Bernard, chief hacker at Eye Security who said “Not all attack methods leave traces that we can detect.” “There are many more [victims]… so the actual number is almost certainly higher,” he added.
Microsoft issues urgent patch for the vulnerability
Microsoft confirmed the flaw and released emergency guidance over the weekend, advising affected users to apply patches immediately.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the vulnerability to its Known Exploited Vulnerabilities list, mandating remediation by federal agencies by July 21.
Having said that, not all SharePoint editions are currently patched, heightening the risk for organizations still running legacy versions. Experts recommend isolating or disconnecting vulnerable servers from the internet until full fixes are applied.
Zero-day vulnerability in Microsoft SharePoint servers
The campaign takes advantage of a serious, unpatched vulnerability in on-premise SharePoint (CVE‑2025‑53770 and CVE‑2025‑53771). It allows attackers to take full control of servers, steal cryptographic keys, install hidden backdoors, and maintain access even after patching.
The campaign has struck various sectors, including government, healthcare, finance, education, and manufacturing. Hundreds of servers globally remain exposed—Eye Security’s scan covered over 8,000 internet-connected SharePoint servers.
On July 18, researchers at Eye Security first noticed the exploit in action. Within hours, scans of Germany, US, and global servers revealed dozens of compromised systems using the same malicious payload. Their initial findings estimated around 100 victim organizations, but follow-up scans expanded the count to nearly 400.
The Reuters report quotes Vaisha Bernard, chief hacker at Eye Security who said “Not all attack methods leave traces that we can detect.” “There are many more [victims]… so the actual number is almost certainly higher,” he added.
Microsoft issues urgent patch for the vulnerability
Microsoft confirmed the flaw and released emergency guidance over the weekend, advising affected users to apply patches immediately.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the vulnerability to its Known Exploited Vulnerabilities list, mandating remediation by federal agencies by July 21.
Having said that, not all SharePoint editions are currently patched, heightening the risk for organizations still running legacy versions. Experts recommend isolating or disconnecting vulnerable servers from the internet until full fixes are applied.
You may also like
Trump vs AP: Court lets US president block Associated Press from key spaces; 'Gulf of America' order dispute widens
Process for election of next VP already in motion, says EC
Man, 22, rushed to hospital after horror fall at Canary Island beach
Govt begins search for Dhankhar's retirement home
'Wrong but right' cooking bacon method doesn't involve an oven, grill or pan
