Solutions
Solutions
All in one solution
Overview
Managed XDR
Keep my IT safe 24/7
24/7 Incident Response
Restore business operations
Security Awareness
Improve security culture
Cyber Insurance
Ensure business continuity
Integrations
Technology partners
Industry
All sectors
Logistics
Manufacturing
Professional services
Healthcare
Partners
Partner Network
For Brokers & Risk Advisors
Lower your clients' cyber risk.
For Managed Service Providers (MSP)
Expand your offer with cybersecurity.
Case studies
Customer protection
Jan de Rijk
Logistics
Avi Medical
Healthcare
KeyTec Netherlands
Manufacturing
Van der Most Transport
Logistics
Signature Foods
Manufacturing
KlaassenGroep
Construction
GOED Belgium
Healthcare
Zimmer Group
Manufacturing
Plans
Resources
Resources
Blogs
News from the front lines
Resource library
Guides and brochures
Free Anti-spoofing Tool
Sign up to get started
Knowledge Base
Customer login
NIS2 Resource Hub
Your easy guide to NIS2
Glossary of Terms
A glossary of cybersecurity terms
Company
About
News
Careers
Contact
Press
en
de nl
Talk to us
Take a tour
Solutions
Back
Solutions
All in one solution
Managed XDR
24/7 Incident Response
Security Awareness
Cyber Insurance
Integrations
Industry
All sectors
Logistics
Manufacturing
Professional services
Healthcare
Partners
Back
Partner Network
For Brokers & Risk Advisors
For Managed Service Providers (MSP)
Case studies
Back
Customer protection
Jan de Rijk
Avi Medical
KeyTec Netherlands
Van der Most Transport
Signature Foods
KlaassenGroep
GOED Belgium
Zimmer Group
Plans
Resources
Back
Resources
Blogs
Resource library
Free Anti-spoofing Tool
Knowledge Base
NIS2 Resource Hub
Glossary of Terms
Company
About
News
Careers
Contact
Press
en
de nl
Book a demo
Incident Hotline
Return to overview

Eye Security Detects Large-Scale Exploitation of Critical Microsoft SharePoint Vulnerability

July 20, 2025

Please find more details on our Tech Blog that's actively being maintained by our Research Team. 

The Hague, July 21, 2025 – Last Friday, Eye Security’s research team, Eye Research, was the first to identify a critical zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770 and CVE-2025-53771), just as attackers began exploiting it at scale. Their findings have since been acknowledged globally, with organizations across sectors relying on Eye Security’s early warnings and support to recover within hours. The flaw allows attackers to take full control of vulnerable servers, giving them unrestricted access to sensitive business data, the ability to steal cryptographic material, install backdoors and move laterally through corporate networks. In many cases, this could result in data theft, ransomware attacks and prolonged breaches that remain undetected even after updates.

Mass Exploitation Uncovered by Eye Research

On the evening of July 18, Eye Research detected unusual activity on a customer’s on-premises SharePoint server. A malicious file had been uploaded, enabling exfiltration of cryptographic keys. These keys can be abused to bypass authentication and maintain persistent access to SharePoint environments, even after standard patching. During the triage, Eye Security learned it had stumbled upon a SharePoint 0-day used in the wild.

Following the discovery, Eye Research scanned over 8,000 publicly accessible SharePoint servers worldwide. The team identified dozens of compromised systems, confirming that attackers are conducting a coordinated mass exploitation campaign. Eye Security has since issued responsible disclosures to affected organizations and national CERTs, while working closely with partners in the global cybersecurity community to help mitigate the threat.

“This is not a theoretical risk. Attackers are already leveraging this vulnerability to deploy backdoors and steal sensitive data from SharePoint servers,” Eye Security said. “The potential consequences extend beyond SharePoint, as these servers often connect to core business systems such as email and file storage.”

Microsoft Confirms Active Exploitation

Microsoft has acknowledged the severity of the issue, named it a critical 0-day with identifier CVE-2025-53770. The company has published interim guidance to help organizations secure their environments.

Eye Security urges organizations running on-premises SharePoint to act without delay. Immediate assessment for compromise, isolation of affected servers and rotation of potentially exposed cryptographic keys are critical to containing the threat. Organizations are advised to engage experienced incident response teams to investigate and remediate breaches.

Rapid Response for Eye Security Customers

For Eye Security customers, the attack was stopped before it could cause damage. Our 24/7 SOC acted immediately, isolating affected systems and mitigating the issue. Follow-up investigations confirmed no further intrusions, keeping customer environments secure.

For further details and technical recommendations, see:

About Eye Security and Eye Research
Eye Research is part of Eye Security, a European cybersecurity company dedicated to protecting organizations against digital threats. The team includes seasoned cybersecurity professionals with extensive experience in both offensive and defensive operations, many with a background in national intelligence services. Their mission is to investigate emerging threats, analyze malware and vulnerabilities, and share real-world cyber incident insights through research publications. This work supports Eye Security’s 24/7 Managed Detection and Response (MDR) and incident response services, ensuring customers stay protected in an increasingly hostile digital landscape. To learn more about Eye Security and its services, visit eye.security.

Note to journalists
For more information, interviews or expert commentary, please contact:
Mara Jochem
mara.jochem@eye.security 

 
Share this article.

Want to join us in our mission?

Have a look at our open roles.

Aad van Musscher
Join our team