The SharePoint vulnerabilities that Microsoft released emergency patches for earlier this week – tracked as CVE-2025-53770 and CVE-2025-53771 – have been exploited much further than previously thought.
As reported by Bloomberg, the number of companies and organizations affected by the two exploits has grown to more than 400 in just a few days.
Dutch cybersecurity company Eye Security, which noticed some of the early attacks, said the hackers involved have now breached government agencies, corporations and groups from countries around the world including the U.S., Europe, Asia and the Middle East.
One of the highest profile agencies involved is the National Nuclear Security Administration, a U.S. agency that maintains the nations stockpile of nuclear weapons. Others include the U.S. Department of Education, Florida’s Department of Revue, and the Rhode Island General Assembly. Organizations include government agencies, education departments and technology services.
The SharePoint vulnerabilities allow threat actors access to those servers in order to steal keys that would allow them to impersonate users or services in phishing attacks. This means they could potentially gain access to networks where they could steal data, even that of a confidential or sensitive nature. Though Microsoft has issued patches to fix the flaws, researchers have cautioned that hackers may have already gained access to many of the targeted servers.
The Eye Security researchers have cautioned that the number of companies hacked may still grow as there are ways to compromise servers that do not leave traces, and that other "opportunistic" hackers may continue to exploit vulnerable servers. Companies who have not yet issued a patch for their SharePoint servers should do so immediately following Microsoft's instructions which include rotating machine keys and analyzing the logs and file system for signs of system exploits.
Microsoft has pointed the finger at both the Linen Typhoon and Violet Typhoon groups at being behind these attacks; both groups are said to be Chinese state-sponsored hacking groups. A third Chinese based hacking group, referred to as Storm-2603, is also said to have used the exploit in the wild.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
Follow Tom's Guide on Google News to get our up-to-date news, how-tos, and reviews in your feeds. Make sure to click the Follow button.
