DALLAS — Microsoft has issued an alert warning that hackers are actively exploiting a critical vulnerability in its SharePoint Server software used by businesses and government agencies to share documents internally.
The company said the flaw affects only on-premises SharePoint servers and does not impact SharePoint Online through Microsoft 365. Microsoft has released emergency security updates and urged customers to install them immediately.
According to Palo Alto Networks, at least 54 organizations, including banks, universities, and government agencies, have already been compromised.
“Attackers are bypassing identity controls and stealing sensitive data,” said Michael Sikorski, chief technology officer at Palo Alto Networks’ Unit 42. “If your SharePoint server is exposed to the internet, you should assume it’s been compromised.”
The exploited flaw, tracked as CVE-2025-53770, allows remote code execution. A second related bug, CVE-2025-53771, involves spoofing over a network. Microsoft says both issues are linked to a larger exploit chain and have been addressed in recent patches.
The FBI confirmed it is aware of the attacks and is coordinating with federal and private sector partners. Microsoft said it is working closely with agencies including CISA and the Department of Defense Cyber Command.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities list, requiring federal agencies to apply the fix by July 21.