A severe cybersecurity breach targeting Microsoft’s self-hosted SharePoint servers has compromised around 100 organizations globally, according to researchers from Eye Security and the Shadowserver Foundation. The attack, described as a “zero-day” exploit due to its use of an undisclosed vulnerability, has raised alarms across the cybersecurity community.
Microsoft issued a warning over the weekend about “active attacks” exploiting the flaw in self-hosted SharePoint servers. While Microsoft-managed SharePoint Online services remain unaffected, the vulnerability has exposed thousands of internet-facing servers worldwide to potential intrusion.
The attack was first identified on Friday by Eye Security, a Netherlands-based cybersecurity firm, when it detected a breach in one of its clients. An internet-wide scan by Shadowserver shortly after revealed nearly 100 confirmed victims, including government agencies and organizations primarily located in the United States and Germany.
Vaisha Bernard, chief hacker at Eye Security, warned of the potential long-term implications. “It’s unambiguous,” he said, noting that unknown adversaries may have already deployed persistent backdoors within compromised systems. The affected organizations have been reported to relevant national authorities, though specific names remain undisclosed.
Sophos’ Director of Threat Intelligence, Rafe Pilling, noted that while the espionage effort currently appears to involve a single threat actor or group, that could rapidly change. Google, which monitors broad internet traffic, has linked some of the activity to a “China-nexus threat actor,” though no formal attribution has been confirmed.
The FBI has acknowledged the attacks and is collaborating with federal and private-sector partners. The UK’s National Cyber Security Center also confirmed a “limited number” of affected entities in Britain.
Estimates from Shodan and Shadowserver suggest that between 8,000 and 9,000 vulnerable servers could still be exposed. These include servers operated by banks, industrial firms, healthcare institutions, auditors, and multiple U.S. state and international government bodies.
Daniel Card of UK cybersecurity firm PwnDefend emphasized that simply applying Microsoft’s patch is not sufficient. “Taking an assumed breach approach is wise,” he said, urging organizations to perform thorough investigations and implement broader security measures.
This incident underscores the critical need for continuous monitoring and rapid response to emerging cyber threats.