A major cyberattack has put over 100 organizations at risk.
Microsoft warned that hackers are currently targeting self-hosted SharePoint servers. These servers are commonly used by companies to share files and work together. The attacks do not affect SharePoint systems that are hosted directly by Microsoft.
Microsoft has confirmed that its systems were part of the breach. But what really happened?
Here’s a simplified version of the update from Microsoft about the recent SharePoint vulnerabilities:
What You Need to Know
On July 19, 2025, Microsoft shared a warning about ongoing cyberattacks targeting companies that use self-hosted SharePoint servers. These attacks happened because of two security flaws:
- CVE-2025-49706: a spoofing issue
- CVE-2025-49704: a remote code execution issue
However, these flaws do not affect SharePoint Online, which is a part of Microsoft 365.
Security Updates To Fix The Problem
To fix these problems, Microsoft has released security updates for all supported versions of SharePoint Server, including:
- SharePoint Server Subscription Edition
- SharePoint Server 2019
- SharePoint Server 2016
If you are using one of these versions, it is very important to install the updates immediately to stay protected.
Who’s Behind the Attacks?
Microsoft has identified three Chinese state-sponsored hacking groups that are involved in exploiting these flaws:
- Linen Typhoon
- Violet Typhoon
- Storm-2603
They are mainly targeting internet-facing SharePoint servers that have not been updated yet.
What Experts Have To Say About This Breach
The attack that happened on self-hosted SharePoint servers is being called a “zero-day” because it takes advantage of a digital flaw that was not known before.
Hackers can use this weakness to break into vulnerable servers and possibly install a backdoor, which lets them stay connected to the system secretly.
Vaisha Bernard, the top hacker at Eye Security (a cybersecurity company in the Netherlands), said they found this hacking activity while helping one of their clients on Friday. A scan done with help from the Shadowserver Foundation found about 100 affected victims, and this was before the hacking method became widely known.
“It’s unambiguous,” Bernard said. “Who knows what other adversaries have done since to place other backdoors.”
He did not name the affected organizations but said the proper authorities in each country had been informed.
Confirmation Of Victims
The Shadowserver Foundation also confirmed that around 100 victims were found.
Most of them are in the United States and Germany, and some of them are government agencies.
Some Recommendations From Microsoft
Microsoft has published some of the recommendations to stay protected from harm, which are as follows:
- Apply the latest security updates to your SharePoint servers.
- Use supported versions of SharePoint only.
- Turn on AMSI (Antimalware Scan Interface) in Full Mode and use Microsoft Defender Antivirus (or another security tool).
- Change your SharePoint ASP.NET machine keys.
- Restart IIS (Internet Information Services) on your server.
- Install Microsoft Defender for Endpoint or a similar advanced security solution.
Conclusion
This cyberattack which happened on Microsoft tells us that even the most trusted systems can become targets. It has impacted over 100 organizations, including government agencies. No doubt, Microsoft team is trying its best to fix it but it is no simply just about fixing what’s broken. You have to stay a step ahead always.
If you are using self-hosted SharePoint servers, you have to act fast: install updates, follow Microsoft’s security steps, and do it without wasting much time.
Do you want to stay updated, alert, and safe from these breaches? Subscribe to our newsletter and stay informed.
FAQs
Which is the biggest cyber attack in the world?
The most notorious cyberattacks in history are Robert Tappan Morris, The Morris Worm (1988), MafiaBoy (2000), Google China attack (2009).
Where do 90% of all cyber attacks come from?
More than 90% of successful cyber-attacks start with a phishing email. A phishing scheme is when a link or webpage looks legitimate, but it’s a trick designed by bad actors.
What are the common forms of attack on Microsoft systems?
Phishing and ransomware are two common attacks on Microsoft systems.
