A large-scale cyberattack exploiting a critical flaw in Microsoft’s SharePoint server software has compromised around 100 organizations globally, according to cybersecurity researchers.
The hack, which began before the weekend, targeted self-hosted versions of SharePoint—Microsoft’s widely-used document sharing and collaboration platform.
Microsoft confirmed the attacks on Saturday and urged customers to install available security updates immediately. Cloud-based SharePoint systems hosted by Microsoft were not affected.
The attack is being classified as a “zero-day” exploit, meaning it was carried out using a previously unknown software vulnerability. Experts say hackers used this flaw to gain unauthorized access and potentially plant backdoors, allowing long-term control over infected systems.
The Netherlands-based cybersecurity firm Eye Security was one of the first to detect the breach. Its chief hacker, Vaisha Bernard, said that scans conducted with the Shadowserver Foundation revealed at least 100 affected organizations—mainly in the United States and Germany—including government bodies. The full extent of the compromise could grow as more systems are examined.
“It’s unambiguous,” Bernard said, warning that other hackers may have already taken advantage of the same flaw. A Shadowserver spokesperson added that the number of vulnerable servers online could exceed 9,000 globally.
The U.S. Federal Bureau of Investigation (FBI) said it is aware of the situation and working closely with public and private sector partners. Britain’s National Cyber Security Centre also acknowledged a limited number of targets in the UK.
While Microsoft did not name the hackers involved, Google’s threat analysis team linked some of the activity to a China-based group. The Chinese Embassy in Washington has not responded, but Beijing typically denies involvement in cyber espionage.
Cybersecurity experts warn that even with patches in place, affected organizations must take further steps to fully secure their systems. “Just applying the patch isn’t all that is required,” said Daniel Card of UK-based PwnDefend, noting the potential scale of the compromise.
Thousands of entities—including banks, healthcare providers, industrial firms, and government agencies—could still be at risk if they have not yet updated or investigated their systems.
