Unauthorized Access to SharePoint Servers: Over 100 German Servers Suffering due to Microsoft Security Loophole - Microsoft's Sharepoint Suffers Security Breach, Affecting Over 100 Servers in Germany
A critical security vulnerability, tracked as CVE-2025-53770, has been discovered in Microsoft's SharePoint program, affecting more than 75 organizations worldwide. The flaw, which allows remote code execution (RCE), has been actively exploited since at least mid-July 2025.
The vulnerability, a variant of earlier disclosed flaws such as CVE-2025-49704 and CVE-2025-49706, is rooted in unsafe deserialization processes that accept untrusted data in SharePoint’s handling of page controls and user session authentication. Attackers exploit the vulnerability by sending crafted POST requests to SharePoint endpoints, deploying malicious web shells, and extracting cryptographic keys to forge authentication tokens, impersonate users, execute arbitrary code, and maintain persistence without further interaction with the vulnerable endpoint.
The breach has affected more than 75 company servers during a large-scale exploitation campaign. While specific countries and organizations have not been fully enumerated publicly, initial discovery and reporting credit a Vietnamese cybersecurity firm, Viettel Cyber Security, suggesting that some impacted entities might be in Asia or worldwide. The Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. is monitoring the situation closely, indicating at least significant impact or concern within the United States and likely other countries with on-prem SharePoint Server use.
Both physical on-premises servers and self-managed SharePoint Server instances in cloud environments (e.g., Azure, AWS, GCP) are vulnerable. However, SharePoint Online in Microsoft 365 is not affected, so organizations primarily using Microsoft’s cloud services are not impacted.
Attacks are difficult to detect due to their ability to blend with legitimate SharePoint operations, with attackers achieving lateral movement inside networks and potentially full takeover of organizational SharePoint infrastructure. The exploitation campaign has been ongoing since at least mid-July 2025, with preparatory steps including months of vulnerability disclosures and proof-of-concept exploits.
Microsoft has acknowledged the issue and is preparing a patch update. Organizations running self-hosted versions of SharePoint are urged to urgently apply security updates once available and monitor for suspicious activity. German organizations were disproportionately affected, with at least 104 servers in Germany exposed to the network without a security update by Monday.
The Federal Office for Information Security (BSI) considers the threat level "very high" and sees "massive active exploitation." Microsoft has identified three Chinese hacker groups among the attackers, two of which are known for actions on behalf of the state. The risk of further exploitation is not theoretical, with the vulnerability rated 9.8 out of 10 on the CVSS scale.
Organizations are advised to immediately install updates, exchange machine keys, and conduct a forensic investigation to find possible backdoors. Eye Security recommends shutting down or isolating affected servers to better protect against further attack waves. The hacker groups are observed by Microsoft under the names Linen Typhoon and Violet Typhoon.
Community policy should emphasize the immediate installation of security updates for Microsoft's SharePoint program to address the CVE-2025-53777 vulnerability, as failure to do so may lead to breaches in health and safety, including cybersecurity threats. Employing technology such as advanced security solutions and monitoring tools can aid in detecting suspicious activity and mitigating risks associated with this high-severity issue.
