Agencies had to scramble over the weekend and into Monday to address a critical “zero day” cybersecurity vulnerability in Microsoft’s widely used SharePoint software.
The Cybersecurity and Infrastructure Security Agency added the SharePoint vulnerability to its known exploited vulnerabilities catalog on Sunday, giving agencies until the end of the day on Monday to apply recommended mitigations.
The cyber agency confirmed there has been “active exploitation” of the SharePoint vulnerability in its alert.
CISA Acting Executive Assistant Director for Cybersecurity Chris Butera said the scope and impact of the remote code execution vulnerability “continue to be assessed,” but that the exploit poses a risk to all organizations running on-premises version of Microsoft SharePoint.
“CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action,” Butera said in a statement. “Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations. CISA encourages all organizations with on-premise Microsoft SharePoint servers to take immediate recommended action.”
The Washington Post reported that at least two federal agencies have had their SharePoint servers breached. The news outlet did not identify the agencies.
CISA did not confirm whether any federal civilian agencies have been affected by the vulnerability.
Michael Sikorski, chief technology officer and head of threat intelligence for Unit 42 at Palo Alto Networks, said his organization is seeing attempts to exploit “thousands of SharePoint servers globally and dozens of compromised organizations spanning both commercial and government sectors.”
“Unit 42’s telemetry confirms that government entities globally have been impacted,” Sikorski said in a statement shared with Federal News Network.
Eye Security, a European cybersecurity company, was the first to flag the widespread exploitation of the SharePoint vulnerability this past Friday. The company said it scanned more than 8,000 SharePoint servers worldwide and discovered “dozens of systems actively compromised during four confirmed waves of attack.”
Microsoft issued guidance about the SharePoint vulnerability on Saturday. The company said it was aware of “active attacks” targeting on-premises SharePoint servers. The cloud-based version, SharePoint Online in Microsoft 365, has not been impacted.
The exploit is a previously unknown “zero day” vulnerability. Microsoft said it’s working on a patch to address the issue.
In the absence of a security update, the company recommended organizations with on-premise SharePoint servers activate and configure the “Antimalware Scan Interface,” and deploy Microsoft Defender or another endpoint detection and response capability.
If organizations cannot take those actions, Microsoft is recommending they disconnect any impacted SharePoint servers from the internet until a patch is available.
“This isn’t an ‘apply the patch and you’re done’ situation,” Charles Carmakal, senior vice president of Mandiant, wrote on LinkedIn. “Organizations need to implement mitigations right away (and the patch when available), assume compromise, investigate whether the system was compromised prior to the patch/mitigation, and take remediation actions.”
Threat intelligence analysts have also seen hackers using the SharePoint vulnerability to steal cryptographic keys from victim servers.
Sikorski said the vulnerability represents a “high-severity, high-urgency threat,” especially given SharePoint’s integration into other Microsoft services.
“We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response,” Sikorski said. “An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available. A false sense of security could result in prolonged exposure and widespread compromise.”
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
