Microsoft is racing to contain a critical security flaw in its SharePoint collaboration software that has already been exploited by threat actors to infiltrate thousands of organisations globally.
The vulnerability, flagged by the Cybersecurity and Infrastructure Security Agency (CISA) over the weekend, enables unauthenticated attackers to gain full access to SharePoint content and execute remote code across affected networks.
Unlike many past incidents, this breach is not theoretical. It has already resulted in live attacks, according to security researchers.
With SharePoint serving as a backbone for document collaboration in enterprises worldwide, the flaw opens the door to widespread data exfiltration, credential theft, and the planting of backdoors.
Microsoft has issued patches for some affected versions, but not all systems are protected yet, particularly those running SharePoint Server 2016, which remains without a fix.
Vulnerability affects SharePoint on-premise servers, not Microsoft 365
According to an alert from Microsoft on Saturday, the vulnerability only affects on-premise SharePoint servers, sparing the company’s cloud-hosted Microsoft 365 platform.
However, many global businesses still rely on self-hosted versions of SharePoint, increasing the reach of the threat.
European cybersecurity firm Eye Security, which first detected the flaw, noted that hackers can impersonate users or services even after a patch is applied.
This makes the threat especially persistent and difficult to contain.
The attackers are exploiting the flaw to establish long-term access to enterprise systems, moving laterally across Microsoft services like Outlook and Teams, which are often integrated with SharePoint servers.
Microsoft and CISA issue urgent security patches and warnings
On Sunday, Microsoft released security fixes for two versions of the vulnerable SharePoint software, but confirmed that it was still developing a patch for the 2016 version.
The company has not yet provided further comment.
CISA’s official warning described the vulnerability as enabling “unauthenticated access to systems” and warned that it “poses a risk to organisations.”
The agency is still assessing the full scope and scale of the breach. Organisations that have not yet applied Microsoft’s patches are urged to do so immediately to mitigate potential compromise.
Palo Alto Networks confirmed that the exploit is “real, in-the-wild,” and poses a “serious threat.”
The company’s CTO and head of threat intelligence, Michael Sikorski, said attackers are already inside compromised systems and are exfiltrating data, stealing cryptographic keys, and installing persistent malware to maintain access.
Thousands of global entities likely affected by active exploitation
Researchers at Palo Alto Networks believe that thousands of organisations around the world have already been impacted.
Given the central role SharePoint plays in enterprise collaboration, compromised systems are not only leaking documents but are also exposing sensitive internal communications and login credentials.
Attackers are leveraging the vulnerability to impersonate legitimate users and navigate through connected services, allowing them to extract data or escalate privileges.
Even patched systems may remain vulnerable to impersonation attacks unless additional mitigation steps are taken.
The exploitation of SharePoint’s flaw follows a pattern seen in previous large-scale cyber intrusions, where initial entry points are used to compromise broader infrastructure.
The fact that this breach allows for remote code execution over the network further raises the risk of rapid propagation across internal systems.
Unrelated IT outage disrupts Alaska Airlines operations
In an unrelated incident, Alaska Airlines reported a brief halt in its ground operations for about three hours early Sunday due to an IT outage.
The carrier resumed operations around 2 am EST. There is no current evidence linking the outage to the ongoing SharePoint security issue.
However, the timing has heightened concerns about digital resilience in the transport and aviation sector, which frequently relies on Microsoft-based infrastructure for its operations.
The industry, like many others, is being urged to check for signs of compromise.
The post Microsoft SharePoint breach exposes global firms to data theft appeared first on Invezz