Critical Microsoft SharePoint Zero-Day Exploited in Targeted Attacks Since July 2025

A critical zero-day vulnerability in Microsoft SharePoint has been actively exploited since July 7, 2025, according to research by Check Point. The initial exploitation attempts targeted an unspecified major Western government, with intensified activity observed on July 18 and 19, affecting government, telecommunications, and software sectors. The attackers successfully exfiltrated encryption keys and established persistent access within compromised networks.

Microsoft SharePoint is a widely used collaborative platform integrated with Microsoft Office, making it a high-value target for cybercriminals and state-sponsored actors. The exploitation of a zero-day vulnerability—meaning it was exploited before a patch was available—underscores the critical nature of this flaw. The ability of attackers to steal encryption keys and maintain persistent access indicates a sophisticated threat actor, potentially capable of lateral movement within networks and privilege escalation.

The targeted sectors—government, telecommunications, and software—are indicative of high-value targets, suggesting motives such as espionage or intellectual property theft. The timing of the increased exploitation attempts on July 18 and 19 may suggest a coordinated campaign, possibly following initial reconnaissance and exploitation phases.

From a cybersecurity perspective, this incident highlights the importance of robust patch management processes, even though zero-day vulnerabilities by definition lack patches at the time of exploitation. Organizations should prioritize network segmentation to limit lateral movement, enhance monitoring for unusual activities, and conduct thorough incident response investigations if compromise is suspected. Additionally, the theft of encryption keys emphasizes the need for robust key management practices, including regular key rotation and secure storage.

The impact on the cybersecurity landscape is significant, as it demonstrates the ongoing threat posed by zero-day vulnerabilities in widely used enterprise software. It also underscores the need for continuous monitoring and threat intelligence sharing to detect and mitigate such threats promptly.

In conclusion, this incident serves as a stark reminder of the evolving threat landscape and the importance of proactive cybersecurity measures. Organizations using SharePoint should remain vigilant, apply patches as soon as they become available, and review their security posture to mitigate the risk of similar attacks.