Microsoft SharePoint hack: Business systems breached

A series of related, actively exploited vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771) have compromised numerous Microsoft SharePoint servers globally. Initial reports identified around 100 confirmed compromised entities, primarily in the US and Germany, including some government organisations. However, recent telemetry suggests significantly broader exploitation.

Shadowserver identified approximately 9,300 internet-exposed SharePoint servers worldwide, though exposure alone does not confirm compromise. The UK's NCSC has acknowledged a limited number of known domestic cases thus far, indicating ongoing investigations and potential risk for further exploitation.

Understanding the SharePoint Vulnerabilities

Recently disclosed and actively exploited CVEs (CVE-2025-49704, -49706, -53770, -53771) affect customer-managed SharePoint servers, including Subscription Edition, SharePoint 2019, and SharePoint 2016. Older, unsupported versions also present significant risks. Cloud-based SharePoint Online services are unaffected.

Microsoft has attributed these attacks to Chinese state-sponsored threat groups Linen Typhoon, Violet Typhoon, and China-based Storm-2603. Google's Mandiant has similarly confirmed the involvement of at least one China-linked actor. Other cybersecurity experts anticipate broader exploitation by additional actors in the near future.

Vaisha Bernard from Eye Security, who initially reported approximately 100 confirmed victims, warned of the potential for threat actors to maintain persistent access. Attackers have primarily targeted ASP.NET MachineKeys, enabling them to forge authentication tokens and maintain potential access if keys are not rotated promptly.

Risks for UK Businesses

Businesses in the UK using on-premises SharePoint are facing significant risks of persistent breaches and potential data compromise. Charles Carmakal of Google's Mandiant indicated multiple actors are already exploiting these vulnerabilities, increasing the urgency for businesses to take immediate defensive measures.

Daniel Card from PwnDefend highlights the importance of adopting an "assumed breach" mindset, stressing that merely patching the vulnerabilities is insufficient. Organisations must proactively hunt for signs of compromise and rotate cryptographic keys to ensure effective remediation.

Immediate Remediation Actions

Businesses must urgently:

• Apply Security Patches Immediately: Deploy patches provided by Microsoft to mitigate vulnerabilities.

• Rotate ASP.NET MachineKeys: Before and after patching, rotate keys and restart Internet Information Services (IIS) to prevent attackers from maintaining persistence.

• Enable AMSI (Anti-Malware Scan Interface) in Full Mode: Utilise Microsoft Defender AV or equivalent security solutions. If immediate enabling isn't feasible, isolate or disconnect vulnerable servers from the internet.

• Conduct Targeted Security Reviews: Specifically monitor for POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit, the creation of suspicious files like spinstall0.aspx, unusual w3wp.exe processes, and traffic from known attacker IP addresses.

• Engage Incident Response Teams: Immediate professional assessment and response are crucial to validate remediation efforts and confirm that there is no residual compromise.

Additional Recommendations

Organisations should also consider:

• Isolating or Restricting Public Access: Temporarily limit external access to SharePoint services until all patches and security measures have been thoroughly applied.

• Reviewing Support Status of SharePoint Versions: Older versions, such as SharePoint 2013 or earlier, should not be internet-facing and ideally replaced or upgraded due to the lack of official security patches.

• Incident Response and Preparedness: Strengthen incident response protocols, including comprehensive compromise assessments and validation of key rotation procedures.

Long-Term Security Measures for SharePoint

Beyond immediate measures, long-term SharePoint data security requires:

• Regular Security Audits and Vulnerability Assessments: Continuous monitoring and assessments to proactively address emerging threats.

• Controlled Permissions and Least-Privilege Access: Ensure stringent access controls to limit unnecessary exposure to sensitive data.

• Enhanced Staff Training and Awareness: Regular training for employees on cybersecurity best practices and evolving threat landscapes.

• Data Encryption as a Supporting Measure: While encryption does not directly stop this exploit, it remains a useful component of broader data protection strategies.

These SharePoint vulnerabilities underscore the ongoing threat from sophisticated cyber actors. UK businesses must prioritise immediate, comprehensive security measures and adopt proactive, layered cybersecurity defences to effectively safeguard their critical assets.

Speak to an expert about securing SharePoint