Researchers and news reports show that the hackers behind the first attacks of attacks that exploit zero-day on Microsoft SharePoint servers have so far been primarily targeting government organizations.
Over the weekend, the US cybersecurity agency CISA issued an alert warning that hackers were exploiting what previously known as an unknown bug (zero-day) in Microsoft's enterprise data management product SharePoint. It's still too early to draw a definitive conclusion, but the hackers who first began abuse the flaws appeared to have targeted government organizations, according to Silas Cutler, a leading researcher at Censys, cybersecurity company that monitors hacking activities on the internet.
“The initial exploitation appears to be against a narrow set of targets,” Cutler told TechCrunch. “Perhaps it's government-related.”
“This is a case that evolves quite rapidly. The early exploitation of this vulnerability could have been fairly limited in terms of targeting, but as more attackers learn to replicate exploitation, we may see violations as a result of this incident,” Cutler said.
Contact Us Do you have any more information about these SharePoint attacks? We look forward to hearing from you. From unprocessed devices and networks, you can safely contact Lorenzo Franceschi-Bicchierai with a signal of +1 917 257 1382, via Telegram and Keybase @lorenzofb, or by email.
The vulnerability is there, and yet it has not been fully patched by Microsoft, so other hackers who don't necessarily work for the government could join and start abuse, Cutler said.
Cutler added that he and his colleagues are looking at 9,000-10,000 vulnerable SharePoint instances accessible via the internet, but that could change. Eye Security, which first published the existence of the bug, reported seeing similar numbers, saying researchers scanned more than 8,000 SharePoint servers around the world and found evidence of dozens of server breach.
Given the limited number of targets at the start of the campaign and the type of target, Cutler explained that hackers are likely part of a government group commonly known as a highly sustained threat.
TechCrunch Events
San Francisco | October 27-29, 2025
The Washington Post reported Sunday that the attack targeted universities and energy companies, among other commercial targets, including federal and state agencies in the United States.
In a blog post, Microsoft said the vulnerability only affects the version of SharePoint installed on the local network, not the cloud version.