A sophisticated cyber-espionage campaign exploiting a zero-day vulnerability in Microsoft SharePoint servers has compromised nearly 100 organizations across multiple countries, cybersecurity researchers revealed this week.
Microsoft issued an urgent security alert on Saturday, warning of “active attacks” targeting self-hosted SharePoint servers, widely used enterprise tools for document sharing and collaboration. Cloud-based SharePoint instances hosted by Microsoft were reportedly not affected.
The breach, which leverages a previously unknown flaw, enables attackers to infiltrate vulnerable servers and potentially install backdoors, granting long-term access to targeted networks. The scale of the attack emerged after cybersecurity firm Eye Security, based in the Netherlands, uncovered the campaign while investigating suspicious activity on a client’s system. A subsequent internet scan conducted with the Shadowserver Foundation revealed nearly 100 affected organizations — and that number may rise as the exploit becomes more widely known.
“It’s unambiguous,” said Vaisha Bernard, Eye Security’s chief hacker. “Who knows what other adversaries have done since to place other backdoors.” Bernard declined to name the affected entities but confirmed national authorities had been informed.
The Shadowserver Foundation confirmed the figure, noting that most of the victims are based in the United States and Germany, and include government agencies, financial institutions, healthcare companies, and industrial firms.
Rafe Pilling, director of threat intelligence at British cybersecurity firm Sophos, said the attack currently appears to be the work of a single threat actor or a coordinated group, but warned the situation could evolve rapidly.
While the exact identity of the hackers remains unclear, Google’s security team has linked at least part of the operation to a “China-nexus threat actor.” The Chinese Embassy in Washington has not commented, but Beijing routinely denies involvement in hacking operations.
In response, Microsoft stated it has released a security patch and urged all organizations using self-hosted SharePoint servers to update immediately. However, cybersecurity experts caution that patching alone may not be sufficient.
“Taking an assumed breach approach is wise,” said Daniel Card of UK-based PwnDefend. “Organizations need to investigate for signs of compromise even after applying the patch.”
The FBI confirmed awareness of the attacks and said it is working closely with domestic and international partners. Meanwhile, the UK’s National Cyber Security Centre acknowledged a “limited number” of targeted systems in the country.
According to internet-facing server data from Shodan and Shadowserver, between 8,000 and 9,000 SharePoint servers worldwide remain potentially vulnerable to compromise, emphasizing the urgency for swift mitigation measures.
The incident adds to growing concerns about systemic vulnerabilities in critical digital infrastructure and the rising frequency of state-linked cyber operations targeting both public and private sectors globally.
Written By Rodney Mbua
