Widespread Microsoft security incident in Germany reported
A high-severity zero-day vulnerability in Microsoft's on-premises SharePoint Server, tracked as CVE-2025-53770, is currently being exploited in large-scale cyber attacks. These attacks have affected German companies, authorities, educational institutions, and numerous other organizations worldwide.
Global Impact
According to recent reports, a total of 396 infected servers have been identified in 145 organizations across the globe. Countries such as France, Spain, the Netherlands, Italy, the United Kingdom, and Mauritius each account for 4% and 8% of the confirmed cases, respectively. Germany ranks third with 7% of confirmed cases, hosting 42 of these organizations, 10 of which are headquartered in the country.
Attack Methods and Tactics
The attackers manipulate the SharePoint deserialization flaw before authentication to upload malicious webshell files, extract cryptographic keys, and generate signed payloads. This allows them to bypass identity controls like multi-factor authentication (MFA) and single sign-on (SSO) protection. Once inside the network, they can execute remote code, persist in the network, exfiltrate sensitive data, and deploy backdoors.
Known Attackers
Multiple Chinese nation-state-linked hacking groups have been identified exploiting this SharePoint vulnerability. These groups include Linen Typhoon, Violet Typhoon, and Storm-2603. These groups have targeted a wide range of sectors, including government agencies, critical infrastructure, universities, and private companies both in Germany and globally. Some attacks have also involved ransomware infections linked to these exploits.
Recommendations
Microsoft recommends immediately applying the available security patches for SharePoint Server editions and monitoring for suspicious network/endpoint activity indicative of these tools and payloads. SharePoint Online (cloud service) is not affected by this vulnerability.
It is crucial to note that the danger from the SharePoint vulnerability is still ongoing. The risk is no longer limited to states or corporations, as highlighted by Lodi Hensen, VP Security Operations at Eye Security. The European SME sector, which often relies on solutions in its own data centers (on-premises) and lacks continuous security monitoring, is becoming an increasingly targeted sector.
In these ransomware attacks, the attackers encrypt the data of their victims and attempt to extort ransom. Criminal groups are now also active, using compromised SharePoint access for potential ransomware attacks.
In light of these developments, it is essential for organizations to prioritise their cybersecurity measures, particularly in securing their on-premises SharePoint servers, to minimise the risk of falling victim to these attacks.
- The ongoing cyber attacks exploiting the SharePoint vulnerability, as seen with CVE-2025-53770, have extended beyond corporate entities, posing a significant threat to small and medium-sized European enterprises that heavily rely on on-premises technology, such as SharePoint servers, for their operations.
- In order to mitigate the risk of ransomware attacks resulting from the said SharePoint vulnerability, it's important for organizations to focus on cybersecurity measures, particularly in securing their on-premises SharePoint servers, and adopt best practices for technology and cybersecurity.
