HACKERS EXPLOIT ZERO‑DAY FLAW TO HACK MICROSOFT SHAREPOINT
A newly discovered zero-day vulnerability in Microsoft SharePoint has been actively exploited by hackers, raising serious concerns about enterprise security worldwide. Cybersecurity researchers and government agencies have issued urgent warnings after multiple intrusions were detected targeting this flaw, which allows attackers to execute arbitrary code and potentially gain full control over SharePoint servers.
The vulnerability, designated CVE-2025-34561, was first flagged by researchers at cybersecurity firm Mandiant, who reported observing advanced threat actors using the exploit in targeted attacks against government agencies, financial institutions, and large corporations in North America, Europe, and Asia. The flaw exists in the way SharePoint processes certain user input, enabling attackers to bypass authentication and inject malicious scripts directly into vulnerable systems.
According to Microsoft, the vulnerability affects several versions of SharePoint Server, including SharePoint Server 2019 and SharePoint Server Subscription Edition. The tech giant acknowledged the issue in an advisory published on Tuesday, confirming that the exploit is being used in the wild and urging system administrators to apply mitigations immediately while a permanent patch is being developed.
“This zero-day exploit is particularly dangerous because of its ability to allow remote code execution without user interaction,” said Kevin Beaumont, a security researcher and former Microsoft cybersecurity analyst. “Once exploited, it gives attackers a foothold into corporate networks, enabling lateral movement, data exfiltration, or deployment of ransomware.”
Security experts warn that the flaw could be part of a broader campaign by state-sponsored hackers or sophisticated cybercriminal groups, given the precision of the attacks and the high-value targets involved. In several reported incidents, the attackers deployed web shells and created new administrative accounts, enabling them to maintain persistent access long after the initial breach.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its catalog of Known Exploited Vulnerabilities (KEV) on Wednesday and issued an emergency directive requiring federal agencies to secure affected systems immediately. “This vulnerability poses an unacceptable risk to government and private sector networks,” CISA stated. “Organizations must apply workarounds or disable vulnerable services until official patches are available.”
As of now, Microsoft has released temporary guidance, including firewall rules and access control modifications, to block known attack vectors. Security researchers emphasize that isolating SharePoint servers from the public internet and conducting thorough log audits are also critical to detect signs of compromise.
The incident highlights the increasing frequency and severity of zero-day vulnerabilities being exploited in enterprise software. SharePoint, used by millions of organizations globally for document management and internal collaboration, presents an attractive target for attackers due to its integration with other Microsoft products like Outlook, Teams, and Azure.
Cybersecurity firms recommend that organizations using SharePoint closely monitor Microsoft’s Security Update Guide and prepare for rapid deployment of security patches. Regular backups, strong access controls, and the use of endpoint detection and response (EDR) tools are also essential to minimize potential damage.
As Microsoft races to release a full fix, IT administrators across the globe are on high alert, working to secure critical infrastructure from what could become a wide-scale cyber threat.