SharePoint flaw gives hackers easy access - here’s what to do

A pair of Microsoft SharePoint zero-days are being exploited globally in what may be the fastest-spreading vulnerability campaign since WannaCry. If your SharePoint instance is exposed, assume you’ve been breached.

This post was updated July 25 based on new information, including an emergency alert from CISA.

Microsoft SharePoint is being actively exploited in one of the most aggressive cyber attack campaigns we’ve seen this year. As of July 26, over 327 organizations have been compromised, with more than 4,600 exploitation attempts recorded in just the first 10 days . The attackers used two zero-day vulnerabilities - CVE-2025-49706 (an authentication bypass) and CVE-2025-49704 (a remote code execution bug) - to take full control of unpatched SharePoint servers .

And they’re not just stealing data. Attackers are extracting SharePoint’s MachineKey configuration to forge authentication tokens, bypass all login protections, and persist access even after patching. That means unless you’ve rotated those keys, attackers may still have a backdoor in.

“How did this get so bad so fast?”

This wasn’t just a software flaw. It was a breakdown of trust.

The vulnerabilities were disclosed through Microsoft’s MAPP program - a trusted early-access system for security vendors. But hours after the final vulnerability notice went out, exploitation began. Microsoft now believes the details were leaked from within the program, giving Chinese state-sponsored hackers a head start .

In just 17 hours, the attack volume surpassed WannaCry’s initial spread .

“Is my organization at risk?”

If you run on-premises or hybrid SharePoint, the answer is yes.

Some key stats:

• 78% of Fortune 500 companies still use on-prem SharePoint

• 34% of those deployments are internet-facing

• 67% of compromised organizations used hybrid environments

• In 41% of those cases, attackers pivoted into the cloud

Even SharePoint Online can be impacted if credentials were stolen and reused across Microsoft 365.

“What should I do right now?”

There are five actions every IT and cybersecurity team should take immediately:

1. Assume breach
   Scan logs and endpoints for the known exploit path (ToolPane.aspx) and web shell indicators like spinstall0.aspx, microsoft_sync.aspx, and others

2. Apply Microsoft’s out-of-band patch from July 19
   the original July 8 patch was bypassed within days

3. Rotate your SharePoint MachineKeys
   This is essential. Without it, attackers can still impersonate users

4. Harden your SharePoint instance
   Disable unused features, enforce strong segmentation, and limit external access

5. Reevaluate vendor trust
   The MAPP leak proves that even trusted programs aren’t immune from abuse

“What if I don’t patch or rotate keys?”

You’re not just behind. You’re likely compromised.

CISA’s emergency directive requires agencies to either patch or disconnect exposed SharePoint instances within 48 hours. Organizations that didn’t rotate keys have seen forged authentication tokens in use weeks after the original breach.

One healthcare system lost 2.3 million patient records in just four days due to lateral movement after the SharePoint breach.

“What’s your take on all of this?”

This isn’t just a Microsoft issue. It’s a wake-up call for how we manage vendor trust, vulnerability disclosures, and cloud-connected systems.

At Hive Systems, we’ve long said cybersecurity must be built around real business processes - and this is exactly why. If SharePoint is core to your workflows, your defense needs to account not just for patching delays, but also for trust boundaries, key management, and hybrid sprawl.

We help organizations assess those risks holistically, implement real protections, and make sure there’s no single point of failure - vendor or otherwise.

Because when trust is broken, the only thing that works is verification. If SharePoint is critical to how you do business, protecting it shouldn’t be an afterthought. Learn more ❯

Follow us - stay ahead.