The hackers behind the original wave of attacks taking advantage of a zero day on Microsoft SharePoint servers have so far have targeted government organizations, according to researchers and news reports.
During the weekend, the CISA service of the American cyber published a noticeWarning hackers took advantage of a previous unknown error-known as “zero day”-Microsoft’s ENTERPRISE DATA SHAREPOINT data management product. While it is still too early to reach definitive conclusions, it seems that hackers who began to abuse this defect were addressing government organizations, according to Silas Cutler, Censys’s main researcher, a cyberspace company watching the internet hacking activities.
“It seems that the initial exploitation was against a narrow set of targets,” Cutler told TechCrunch. “Possible government related.”
“This is a quite rapidly evolving case. The initial exploitation of this vulnerability was probably quite limited in terms of targeting, but as more attackers learn to reproduce the exploitation, we will probably see violations as a result of this incident,” Cutler said.
Contact us
Do you have more information about these SharePoint attacks? We would like to hear from you. From a device and non-work network, you can contact Lorenzo Franceschi-bicchierai safely on the mark on +1 917 257 1382, or through the telegram and keybase @lorenzofb or email.
Now that vulnerability is out there, and is not yet fully corrected by Microsoft, it is possible that other hackers who do not necessarily work for a government will participate and start abusing it, Cutler said.
Cutler added that he and his colleagues are seeing between 9,000 and 10,000 vulnerable cases of Sharepoint accessible online, but that could change. Eye security, first published the existence of the errorHe said he saw a similar number, saying that his researchers scanned more than 8,000 SharePoint servers worldwide and found elements of dozens of compromised servers.
Given the limited number of goals and the types of goals at the beginning of the campaign, Cutler explained, it is likely that hackers were part of a government group, commonly known as an advanced persistent threat.
TechCrunch event
Francisco
|
27-29 October 2025
Washington Post reported On Sunday that the attacks are aimed at US federal and government agencies, as well as universities and energy companies, including commercial goals.
Microsoft said in a blog post The fact that vulnerability only affects SharePoint versions installed on local networks and not in cloud versions, which means that any organization that develops a SharePoint server must apply the patch or disconnect it from the internet.
