SharePoint Zero-Day Exploited: Over 75 Organizations Breached
A newly disclosed zero-day vulnerability in Microsoft SharePoint is being actively exploited in the wild—and it's already hit more than 75 companies.
According to The Hacker News, attackers are leveraging a critical remote code execution (RCE) flaw that affects multiple SharePoint versions and allows them to run malicious code remotely, often without any user interaction.
What makes this incident especially alarming is the method of exploitation: attackers are bypassing existing detection tools and compromising servers despite traditional defenses like antivirus software, endpoint detection and response (EDR), and intrusion prevention systems (IPS) being in place.
This is yet another real-world example where “Detect and Respond” strategies prove too slow—or worse, blind—against fast-moving exploits.
What Happened
The vulnerability, currently tracked under CVE-2025-27980, impacts SharePoint Server 2019 and 2022, with attackers using it to upload and execute arbitrary code. The flaw lies in how SharePoint handles specially crafted requests, allowing unauthenticated attackers to gain remote code execution privileges.
Microsoft has not yet released a patch, though a security advisory acknowledges active exploitation. While a workaround is available, it’s far from a permanent fix—and it does nothing to address potential future variants or zero-day exploits targeting the same attack vector.
Among the 75+ affected organizations, attackers deployed remote access trojans (RATs), credential stealers, and command-and-control (C2) frameworks, effectively gaining full control over internal systems without triggering conventional alarms.
Why Detection-Based Defenses Keep Failing
“Detect and Respond” assumes that malware or threat behavior will be recognizable after it reaches your system. But this model breaks down in several scenarios:
Zero-days: No known signature or behavior pattern exists, so detection tools often miss them.
Fileless malware: Executes directly in memory or via legitimate processes like PowerShell.
Bypassed alerts: Sophisticated attackers disable logging or alerting mechanisms as soon as they gain access.
Speed of execution: Many attacks unfold in seconds—far faster than SOC analysts can react.
Despite all the investment in next-gen antivirus and AI-powered EDR tools, attackers still routinely bypass them—especially when targeting critical infrastructure like SharePoint, which sits at the heart of internal business workflows.
Isolation and Containment: A Smarter Approach
AppGuard offers a proven alternative: prevention without detection. Instead of waiting for something to go wrong and then racing to fix it, AppGuard silently enforces a zero-trust model at the endpoint. It stops unauthorized processes from executing, even if they're disguised as legitimate programs or exploit zero-days like this SharePoint RCE.
Here’s what makes AppGuard fundamentally different:
No dependence on signatures or behavior patterns
Stops attacks at the execution level—before they spread
Continues working even when a vulnerability is unknown or unpatched
Minimal alerts, reducing SOC fatigue and overhead
This SharePoint zero-day is just the latest reminder: we don’t need more alarms—we need automated containment. AppGuard delivers exactly that.
You Can’t Patch Fast Enough. You Can Prevent Now.
If your business relies on Microsoft SharePoint—and let’s be honest, most do—this latest breach proves that even your most trusted systems can become attack vectors overnight. And by the time you hear about the zero-day, the attackers have already moved in.
AppGuard provides a commercial-grade defense with a 10-year track record of success in mission-critical environments, now available to businesses of all sizes.
Talk with CHIPS about How AppGuard Can Protect You
Business owners: don't wait for the next zero-day to test your defenses. Talk with us at CHIPS about how AppGuard can protect your systems by isolating and containing threats—before they ever get a chance to cause harm.
Make the shift from “Detect and Respond” to “Isolation and Containment”—and stay one step ahead of attackers, no matter how advanced their tactics.
Let us help you prevent what others still struggle to detect.
Contact CHIPS today to learn more about AppGuard.
Like this article? Please share it with others!