Federal agencies, specifically the Department of Homeland Security (DHS) and the Health and Human Services (HHS), have experienced a hack in Microsoft Sharepoint, resulting in potential data breaches.

Federal agencies, specifically the Department of Homeland Security (DHS) and the Health and Human Services (HHS), have experienced a hack in Microsoft Sharepoint, resulting in potential data breaches.

A critical zero-day vulnerability in Microsoft SharePoint Server, tracked as **CVE-2025-53770**, has been actively exploited in large-scale attacks, breaching over 75 organisations worldwide, including at least two U.S. federal agencies and several state agencies, universities, and energy sector companies in the U.S. [1][2]

The flaw allows attackers to execute remote code without authentication by abusing deserialization of untrusted data and forging trusted payloads, enabling persistent, stealthy access and lateral movement within networks. [1][4] The breach mainly affects on-premises SharePoint Server environments—SharePoint Online in Microsoft 365 is not impacted. [1][2][4]

Attackers have been observed bypassing identity controls such as multi-factor authentication and single sign-on, using malicious webshells including .aspx, .exe, and .dll payloads to maintain persistence, deploying ransomware (notably "Warlock") on compromised systems, and stealing cryptographic keys and exfiltrating sensitive data. [3][4]

In response, Microsoft released an emergency security update on July 20, 2025, and is testing further comprehensive patches. [1][2] The Cybersecurity & Infrastructure Security Agency (CISA) has issued multiple alerts urging organisations to review and apply all relevant SharePoint patches issued since July 8, 2025, rotate all cryptographic material to invalidate stolen keys, employ enhanced detection strategies for advanced persistent threat indicators and webshell activity, and engage professional incident response teams to thoroughly investigate and remediate breaches. [3][4]

Affected organisations are advised to consider on-premises SharePoint servers exposed to the internet as potentially compromised and take immediate containment measures. [4]

CISA has been working with Microsoft, impacted agencies, and critical infrastructure partners to share actionable information and mitigate the hack's impact. [2] CISA has also implemented protective measures and assessed preventative measures to shield from future attacks.

At this time, there is no evidence of data exfiltration at the Department of Homeland Security (DHS) or any of its components. [2] The hack was part of a wider breach of Microsoft's SharePoint service, with Chinese actors confirmed to have deployed ransomware on the file sharing and storage platform. [2]

This news report was contributed to by Paulina Smolinski and based on information from various sources, including Margaret Brennan, the moderator of "Face the Nation with Margaret Brennan" and the Network's chief foreign affairs correspondent, who regularly leads coverage from Washington, D.C., when news breaks on the political and foreign affairs fronts. The White House is closely monitoring the situation. [5]

Sources: [1] Microsoft Security Response Center Blog, July 20, 2025. [2] CISA Alert, July 21, 2025. [3] Microsoft Security Advisory, July 20, 2025. [4] CISA Alert, July 22, 2025. [5] CBS News, July 23, 2025.

1. The zero-day vulnerability in Microsoft SharePoint Server, CVE-2025-53770, has been exploited in widespread attacks in the health, politics, general-news, law, technology, and energy sectors, affecting over 75 organizations worldwide.
2. The Cybersecurity & Infrastructure Security Agency (CISA) has issued alerts, urging organizations to apply SharePoint patches, rotate cryptographic material, employ enhanced detection strategies, and engage incident response teams, as the breach has been tied to the deployment of ransomware like "Warlock" and the theft of sensitive data.
3. In the news, it has been reported that Chinese actors have breached Microsoft's SharePoint service, with this incident being part of a larger cybersecurity threat that could potentially impact organizations dealing with news, health, law, cybersecurity, technology, politics, and general-news.

Read also: