Eye Security Identifies Worldwide Exploitation Of Critical Microsoft SharePoint Vulnerability
Last Friday, Eye Security’s research team, Eye Research, was the first to identify a critical zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770 and CVE-2025-53771), just as attackers began exploiting it at scale. Their findings have since been acknowledged globally, with organizations across sectors relying on Eye Security’s early warnings and support to recover within hours.
The flaw allows attackers to take full control of vulnerable servers, giving them unrestricted access to sensitive business data, the ability to steal cryptographic material, install backdoors and move laterally through corporate networks. In many cases, this could result in data theft, ransomware attacks and prolonged breaches that remain undetected even after updates.
Mass Exploitation Uncovered by Eye Research
On the evening of July 18, Eye Research detected unusual activity on a customer’s on-premises SharePoint server. A malicious file had been uploaded, enabling exfiltration of cryptographic keys. These keys can be abused to bypass authentication and maintain persistent access to SharePoint environments, even after standard patching. During the triage, Eye Security learned it had stumbled upon a SharePoint 0-day used in the wild.
Following the discovery, Eye Research scanned over 8,000 publicly accessible SharePoint servers worldwide. The team identified dozens of compromised systems, confirming that attackers are conducting a coordinated mass exploitation campaign. Eye Security has since issued responsible disclosures to affected organizations and national CERTs, while working closely with partners in the global cybersecurity community to help mitigate the threat.
“This is not a theoretical risk. Attackers are already leveraging this vulnerability to deploy backdoors and steal sensitive data from SharePoint servers,” Eye Security said. “The potential consequences extend beyond SharePoint, as these servers often connect to core business systems such as email and file storage.”
Microsoft Confirms Active Exploitation
Microsoft has acknowledged the severity of the issue, named it a critical 0-day with identifier CVE-2025-53770. The company has published interim guidance to help organizations secure their environments.
Eye Security urges organizations running on-premises SharePoint to act without delay. Immediate assessment for compromise, isolation of affected servers and rotation of potentially exposed cryptographic keys are critical to containing the threat. Organizations are advised to engage experienced incident response teams to investigate and remediate breaches.
Rapid Response for Eye Security Customers
For Eye Security customers, the attack was stopped before it could cause damage. Our 24/7 SOC acted immediately, isolating affected systems and mitigating the issue. Follow-up investigations confirmed no further intrusions, keeping customer environments secure.
