Skip to content
Stay Ahead with Tech WavesFortify Your Digital World

SharePoint hack attack impacts a constrained array of UK businesses, with repercussions broadening worldwide

Widespread Impact of SharePoint Vulnerability Confirmed by Government Security Departments' Reports

 and  Administrator
3 min read
U.K. government's National Cyber Security Center (NCSC) reports a small number of local businesses...
U.K. government's National Cyber Security Center (NCSC) reports a small number of local businesses have fallen victim to a SharePoint attack, with potential global consequences.

SharePoint hack attack impacts a constrained array of UK businesses, with repercussions broadening worldwide

A zero-day vulnerability in Microsoft's SharePoint, known as CVE-2025-53770 or "ToolShell," is currently being exploited by multiple hacking groups, including several Chinese state-aligned groups. This exploitation campaign has been ongoing since at least July 7, 2025.

Hacker Groups Involved

Chinese state-aligned groups have been explicitly linked to attacks leveraging this SharePoint flaw. The campaign is sophisticated and uses multiple IP addresses, with at least one IP address linked to prior Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities exploitation, indicating possibly multiple threat actors sharing tools or infrastructure.

It's unclear who is behind the attacks, but Charles Carmakal, CTO at Google-owned Mandiant Consulting, reportedly said multiple groups of hackers are now using the vulnerability.

Most Affected Countries and Sectors

The United States has been particularly hard-hit, with multiple federal agencies and departments including the Department of Homeland Security (DHS), National Nuclear Security Administration, Department of Education, and the Department of Health and Human Services compromised. Numerous government, telecommunications, and software sector organizations in North America and Western Europe have faced dozens of compromise attempts.

Over 4600 compromise attempts on more than 300 organizations worldwide have been detected as of late July 2025, showing a wide global exposure and attempts.

Mitigation Measures

Microsoft is working with the Cybersecurity and Infrastructure Security Agency (CISA) to notify potentially impacted entities about recommended mitigations. Michael Sikorski, a cybersecurity expert, urges organizations running on-prem SharePoint to take immediate action, apply all relevant patches, rotate all cryptographic material, and engage professional incident response.

A band-aid fix suggested by a security expert is to unplug the Microsoft SharePoint from the internet until a patch is available. SharePoint Online in Microsoft 365 is not impacted by the zero-day flaw.

UK and US Response

The National Cyber Security Centre (NCSC) in the UK has detected attacks making use of the SharePoint flaw within the country. Two federal government agencies in the US have reportedly had their servers compromised using the SharePoint zero-day flaw. The U.S. government and partners in Canada and Australia are actively investigating and responding to these breaches.

Vaisha Bernard, chief hacker at Eye Security, suggests that other hackers may have placed backdoors since the flaw was first discovered. The attack using the SharePoint zero-day vulnerability is targeted and deliberate, designed for persistence even after patching.

The SharePoint zero-day vulnerability may be a patch bypass of a previously patched vulnerability. Rapid7 is observing active exploitation of the SharePoint zero-day vulnerability in its customers' environments. Daniel Card of PwnDefend states that the SharePoint incident has caused a broad level of compromise across a range of servers globally.

In summary, Chinese state-aligned groups are the primary known threat actors exploiting this SharePoint zero-day vulnerability, targeting high-value government and critical infrastructure sectors, particularly in the United States, Western Europe, and North America more broadly, but with global attempts detected.

[1] Rapid7 Blog: https://www.rapid7.com/blog/post/2025/07/20/rapid7-observes-active-exploitation-of-sharepoint-zero-day-vulnerability/

[2] Mandiant Blog: https://www.fireeye.com/blog/threat-research/2025/07/new-sharepoint-zero-day-being-actively-exploited-by-multiple-threat-actors.html

[3] Microsoft Security Blog: https://www.microsoft.com/security/blog/2025/07/16/cve-2025-53770-sharepoint-remote-code-execution-vulnerability-under-active-exploit/

[4] Department of Homeland Security Alert: https://us-cert.cisa.gov/ncas/alerts/aa25-306a

  1. The broad global exposure and attempts to exploit the SharePoint zero-day vulnerability have raised concerns around cybersecurity, particularly in the infrastructure sector, as this incident could have significant financial implications if sensitive data is compromised.
  2. In response to the active exploitation of the SharePoint zero-day vulnerability, cybersecurity experts have suggested several mitigation measures such as applying all relevant patches, rotating all cryptographic material, and engaging professional incident response to minimize the potential financial losses and damage to infrastructure.

Read also:

    Related

    Latest