Hundreds of organizations across the globe including government agencies, universities, and private companies have been quietly hacked through an open hole in Microsoft SharePoint. And the scariest part? The attackers didn’t even need a password to get in. Security researchers at Eye Security found that attackers are exploiting a dangerous vulnerability to take control of on premise SharePoint servers. No password, No login screen. Just straight access through a broken part of SharePoint’s backend.
At least 400 systems are confirmed breached so far, and that number is still climbing. Victims include U.S. federal agencies like the National Institutes of Health (NIH) and the National Nuclear Security Administration (NNSA), according to The Washington Post. If your organization still runs its own SharePoint server, especially older versions like SharePoint 2016 or earlier, you could be exposed right now without knowing it.
What’s going on?
Hackers are using a flaw in a SharePoint page to sneak in, plant remote control tools and then steal the keys that help systems trust each other. That means even if you patch the system, they could still have access because they already grabbed the keys while you were vulnerable.
Microsoft confirmed the bug and issued patches, but for many organizations, it might already be too late. If you were running SharePoint before the fix was released and haven’t rotated your encryption keys, you could still be compromised. Worse? Microsoft’s original patch missed the mark. The first attempt didn’t fully fix the issue, leaving servers open for days before an emergency update was pushed out, as reported by Reuters.
Who’s behind it?
Microsoft is pointing fingers at three China-linked hacking groups: Linen Typhoon, Violet Typhoon, and Storm-2603. Investigators say the attackers are using servers based in China to run these operations. These are not just random script kiddies, these are organized groups, likely working with state support, and targeting critical infrastructure and sensitive data across healthcare, education, and energy sectors.The Guardian, Axios
What needs to happen now?
If your company or agency runs SharePoint on-premises, not in the cloud, you need to do three things,fast:
- Patch your servers with the latest security update from Microsoft.
- Rotate your encryption keys to prevent attackers from reusing stolen credentials.
- Check your systems for signs of compromise, especially suspicious web shells or unknown admin actions.
Organizations using older versions of SharePoint like 2013 or 2010? You’re not getting a fix. You either need to take those servers offline or isolate them immediately.
This isn’t just another tech bug
This is a wake up call. Too many organizations are still relying on outdated, unmonitored systems because “on-prem” feels safer than the cloud. But attackers love old systems that no one is watching. And in this case, they didn’t just find a door, they found it wide open.
Related: Hackers Found A Backdoor in SharePoint, And Walked Right into Government Servers
