The Microsoft server hack has affected nearly 100 organizations across sectors including finance, healthcare, government, and industrial services. Researchers say the attack exploited a zero-day vulnerability in Microsoft’s on-premises SharePoint Server, allowing the threat actor to gain long-term, unauthorized access.

Discovered by Eye Security and confirmed by Shadowserver Foundation, the breach is now considered one of the most serious Microsoft-related cyber incidents of 2025. 

Key Takeaways

• The Microsoft server hack exploited a zero-day RCE flaw (CVE-2025-23333) in SharePoint Server 2019.
• Nearly 100 organizations across critical sectors were compromised.
• SharePoint Online is not affected; only on-premise installations are vulnerable.
• Evidence points to China-linked APT groups like Hafnium and Volt Typhoon.
• Organizations must patch, rotate credentials, and conduct full system audits.

What Happened

The breach targeted a critical vulnerability in Microsoft SharePoint Server 2019, identified as CVE-2025-23333. This is a remote code execution (RCE) flaw that allows attackers to run arbitrary code without user interaction. Once exploited, the attacker can bypass authentication, escalate privileges, and install stealthy malware to maintain control.

This specific attack began in May 2025, though it wasn’t discovered or disclosed until mid-July. By that time, the backdoors had been active for weeks—possibly months—within government networks, industrial firms, and healthcare systems. Microsoft released an emergency security update to patch the flaw, but many organizations had already been compromised.

Worryingly, the attackers also gained access to cryptographic keys in some environments. This means they could potentially reinstall backdoors even after the patch is applied, unless full credential rotation and system audits are performed. Security experts recommend treating all exposed systems as compromised, not just vulnerable.

Who Is Behind the Attack?

Microsoft has not formally attributed the breach, but several cybersecurity researchers believe the tactics match previous campaigns run by state-backed Chinese groups.

The evidence includes:

• IP traffic traced to China-based infrastructure
  
• Use of custom malware loaders not seen in previous cybercrime incidents
  
• Exploitation methods similar to Hafnium, which targeted Microsoft Exchange in 2021
  
• Persistence techniques also linked to Volt Typhoon, known for infiltrating U.S. critical infrastructure
  

The campaign appears to be driven by espionage rather than financial gain. This is a hallmark of advanced persistent threat (APT) groups, which quietly maintain access and harvest sensitive data over time.

Which Sectors Were Targeted?

The breach has affected a wide range of high-value organizations, including:

• Government departments and defense contractors
  
• Energy and manufacturing firms
  
• Healthcare providers and hospital networks
  
• Financial institutions and auditors
  

Most confirmed victims are based in the United States and Germany, but threat analysts warn the attack may be broader in scope. Over 8,000 on-prem SharePoint servers are currently exposed online, putting thousands of global entities at risk.

SharePoint Online Users Are Safe

If your organization uses SharePoint Online through Microsoft 365, you’re not impacted. The attack specifically targeted self-hosted (on-prem) SharePoint Server 2019 installations.

SharePoint Online runs on a cloud architecture that Microsoft updates continuously, reducing exposure to zero-day exploits.

What Should Organizations Do

Microsoft has released an emergency patch for CVE-2025-23333. But patching alone may not be enough.

Here are the recommended steps:

• Apply the latest Microsoft security update immediately
  
• Assume compromise if your SharePoint Server was publicly accessible prior to patching
  
• Rotate all user credentials, API tokens, and cryptographic keys
  
• Conduct a full forensic analysis to detect malware and lateral movement
  
• Monitor logs and outbound traffic for unusual activity
  
• Engage an incident response team if you detect signs of deeper compromise
  

Security agencies, including the FBI, CISA, and NCSC, are currently coordinating response efforts with affected organizations.

Frequently Asked Questions (FAQs)

What is the Microsoft server hack?
It’s a cyberattack that exploited CVE-2025-23333, a critical flaw in Microsoft SharePoint Server, allowing attackers to install backdoors and access sensitive systems.

Is SharePoint Online affected by this breach?
No. The vulnerability only affects self-hosted SharePoint Server 2019. Microsoft 365’s cloud version is secure.

Who discovered the breach?
The breach was first reported by Eye Security and Shadowserver Foundation, and later confirmed by Microsoft.

Is the attack linked to a specific group?
Yes, analysts suggest the tactics match those used by China-linked APTs like Hafnium and Volt Typhoon.

How should affected organizations respond?
Apply all patches, rotate credentials, scan systems for hidden malware, and engage professional cybersecurity teams for further investigation.

If you’re asking, “What is the Microsoft server hack?” — it’s a 2025 cyberattack where hackers exploited a SharePoint vulnerability to infiltrate nearly 100 organizations worldwide. If you run SharePoint on-premises, patch now, change your passwords, and check for signs of compromise.