The Dutch cybersecurity company Eye Security warns of large-scale exploitation of vulnerabilities in Microsoft SharePoint. Patching is not always the solution.
A recent security breach in Microsoft SharePoint has been exploited worldwide to carry out targeted attacks. This is according to research by the Dutch cybersecurity company Eye Security, which identified 396 compromised systems across 41 countries and at least 145 companies. Eye Security discovered the zero-day vulnerability around July 18.
The vulnerabilities, identified as CVE-2025-53770 and -53771, have been attributed by Microsoft to groups with suspected ties to China. However, the vulnerability has since been more widely exploited, including by cybercriminals with other motives such as financial gain.
Targeted Attacks
After discovering the vulnerability, Eye Security conducted a large-scale scan of more than 27,000 SharePoint servers. It turns out that government institutions (30%) and educational organizations (13%) were primarily targeted. These sectors are often the focus of actors with espionage purposes. Outside the government and education sectors, SaaS providers, telecom companies, and energy managers also faced infections.
According to Eye Security expert Lodi Hensen, these are not “opportunistic” attacks. “The attackers knew exactly what they were looking for,” said Hensen.
Mauritius
Most confirmed attacks occurred in the United States (18%), but a significant portion of the attacks takes place in Europe. Germany (7%), France (5%), and the Netherlands (4%) are among the most affected countries. Mauritius (8%) is also high on the list: the tropical island turns out to be a popular destination for SharePoint servers.
Whether Belgian companies are among the victims is not immediately clear from Eye Security’s figures. We have asked the company for more information on this. The Belgian CCB is trying to map the extent of the SharePoint vulnerability. Since most Belgian companies use SharePoint via the cloud, the impact would be rather limited in Belgium.
The analysis shows that multiple threat actors used different attack methods. The malicious code distributed can vary from campaign to campaign. This indicates multiple parallel attacks.
Patching is not Enough
Microsoft has meanwhile released security updates, but this has not immediately stabilized the number of affected servers. According to Eye Security, this means that many systems were not patched in time, or that attackers had already gained long-term access. Once attackers are inside, a patch is nothing more than a band-aid on an open wound.
read also
Cause of SharePoint Vulnerability Lies with “Incomplete” Patch by Microsoft
The vulnerability should be a wake-up call for medium-sized organizations at risk, as they often lack permanent monitoring. Those who rely solely on Microsoft Defender or only patch miss crucial steps in the recovery process. The threat is not gone once a system is updated, although quick patching is certainly a good practice.
According to Eye Security, the risk of ransomware and supply chain attacks remains elevated in the coming weeks. Organizations are advised to check whether attackers are already active within the network – even after installing updates.