Federal cybersecurity officials have issued a warning to Microsoft users about a security flaw allowing hackers to access to certain SharePoint systems.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) posted an alert on its website Sunday, July 20, saying it was aware of “active exploitation” of a security vulnerability that was allowing unauthorized access to on-site SharePoint servers.
The “scope and impact” of the issue was still being assessed, CISA said in the notice posted July 20, but officials said the vulnerability “poses a risk” to organizations that house their own SharePoint servers.
Microsoft, in an alert posted Saturday, July 19, said the vulnerability enables an “authorized attacker to perform spoofing over a network,” a type of cyberattack in which an attacker attempts to trick a user or system into believing they are a trusted or known source.
“The FBI is aware of the matter, and we are working closely with our federal government and private sector partners,” a Microsoft spokesperson told USA TODAY Monday.
SharePoint is used by government agencies and businesses in the U.S. and around the world, as reported by Reuters and the Washington Post, which first reported the attacks.
It was not immediately known who was behind the attack, but a cybersecurity researcher told Reuters on Monday, July 21, it is likely the work of a single actor.
“Based on the consistency of the tradecraft seen across observed attacks, the campaign launched on Friday appears to be a single actor,” Rafe Pilling, Director of Threat Intelligence at Sophos, a British cybersecurity firm, told the outlet. “However, it’s possible that this will quickly change.”
Markets news: US stocks open higher as investors eye more earnings and tariff news
Microsoft SharePoint vulnerability
In its alert about the ongoing attacks on SharePoint servers, Microsoft urged customers to install new security updates.
The company said SharePoint Online in Microsoft 365, stored in the cloud, was not hit by the exploit. The attack is dubbed by experts as “zero day,” because, officials said, it was a shock to cybersecurity researchers.
Microsoft’s stock price was mostly flat on Monday morning, July 21.
‘Customers should apply these updates’
Microsoft reported it issued recommendations to stop attackers from exploiting it.
“Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770, and CVE-2025-53771,” the post reads. “Customers should apply these updates immediately to ensure they’re protected.”
To access Microsoft’s link to the updates click here.
USA TODAY has reached out to Microsoft for more information.
Contributing: Reuters
Natalie Neysa Alund is a senior reporter for USA TODAY. Reach her at nalund@usatoday.com and follow her on X @nataliealund.
This article originally appeared on USA TODAY: Microsoft SharePoint servers hit by global hack: What we know
