State CISOs in North Carolina and Arizona said their teams began work immediately to ensure on-prem SharePoint systems were secure, following the recent disclosure of an active zero-day exploit.
As the third weekend in July dawned, cybersecurity officials in at least two states settled in for a day of being watchful and connecting with colleagues, following word of an active, newly discovered Microsoft SharePoint vulnerability and exploitation.
In North Carolina, leaders in the chief information security officer’s office began scanning its technology environment early Saturday, checking to see if any on-premises SharePoint servers were under its watch and contacting additional state agencies that might be affected by the zero-day exploit, for which Microsoft had already issued guidance.
Microsoft Corp. and the federal Cybersecurity and Infrastructure Security Agency (CISA) had alerted the U.S. security community that a vulnerability, now tracked as CVE-2025-53770, was affecting on-premises SharePoint servers and had been linked to active exploitation campaigns, which allowed attackers to extract cryptographic materials from vulnerable systems.
Meanwhile, a cybersecurity firm in the Netherlands was sounding the alarm. Vaisha Bernard, chief hacker and co-owner of European firm Eye Security, said Tuesday his company had been the first to detect a breach. Its ongoing updates show that as early as 5:51 a.m. Pacific Time Thursday, attackers were observed actively targeting vulnerable SharePoint servers. They attacked by Friday and in multiple waves.
“We identified over 100 organizations that showed definite signs of compromise after the first wave hit. So those are the organizations, where, if we had a direct line to them, we notified the organizations themselves. But if we didn’t, we notified national [security organizations about] compromises in their countries,” Bernard, who is in the Netherlands, said. “There were over 100 in all kinds of sectors. We saw local government, state governments, universities, the energy sector, big consulting firms, also big and small enterprises. … We saw them on almost every continent.” Any organization with a breach, he said, should immediately contact forensic experts.
Both CISA and Microsoft confirmed that CVE-2025-53770 and related vulnerabilities affect only on-premises SharePoint servers. SharePoint Online, part of the Microsoft 365 suite, isn’t impacted. The document management system, first released in 2001, ties to multiple functions such as collaboration and workflow automation. While patches were issued for its 2013 and 2016 versions, earlier versions are not supported, and the company recommends that they be retired.
“Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update,” the company wrote in its customer guidance.
Procurement documents from Industry Navigator* show that multiple U.S. public-sector entities, which include a handful of state agencies, a county government, a municipal airport, and a small jurisdiction in Alaska, have sought help this year to migrate from on-premises SharePoint environments to cloud-based platforms. Solicitations posted during this calendar year specifically reference legacy SharePoint 2016 deployments and represent several regions.
“We are unaware of any indicators of compromise in the environment,” North Carolina CISO Bernice Bond said Tuesday, indicating her team responded “as per our normal procedures and protocols. Members of my team … look first to see if we’re impacted by a vulnerability and what that impact means. Do we have the technology platform in our environment that will [require] further steps?”
There are still some instances, she said, in which SharePoint on-prem is in use within her organization, and the agencies using it were contacted and told how to remediate the vulnerability — “upgrades, patches … whatever we need to do to mitigate the risk.” She advised them that anyone with Internet-facing servers needed to be monitoring them regularly.
In Arizona, where the state adopted a “cloud first” policy in 2019, state CISO Ryan Murray said entities there are mostly Google customers, but there are pockets of internal-facing SharePoint servers which don’t connect to the Internet. He is part of the Arizona Department of Homeland Security’s Statewide Information Security and Privacy Office. That office leads strategic planning, facilitation and coordination for cybersecurity across the state.
Murray, too, said his office started Saturday on the work of information sharing, checking on the state’s IT environment, reaching out to other agencies and offices across municipalities and tribal nations. They are, he said, “unaware of any indications of compromises.”
Arizona has a “robust community sharing information” including a Slack space for state and local government and tribal communities, Murray said. Leaders push information out daily, through a variety of formats, conduct road shows and meet with people face to face, so they aren’t strangers when an event or incident needs action.
“This had the potential to be bad nationally, but the cyber defenders stepped up,” Murray said.
*Industry Navigator is a product of e.Republic, parent company of Government Technology.
Rae D. DeShong is a Texas-based staff writer for Government Technology and a former staff writer for Industry Insider — Texas. She has worked at The Dallas Morning News and as a community college administrator.
