Zero-Day SharePoint Hack Targets Governments, Businesses — Here’s What Counties Need to Know

A newly discovered security flaw in Microsoft SharePoint has triggered a wave of cyberattacks targeting governments, universities, and private organizations, including multiple US federal and state agencies.

The exploit, now designated CVE-2025-53770, allows attackers to gain complete, unauthenticated access to on-premise SharePoint servers, with the ability to read, delete, or manipulate internal content and configurations.

Screen with a security alert messageMicrosoft SharePoint remains widely deployed by counties and other state and local governments to manage documents, internal workflows, and public-facing data.

The compromised servers often connect to systems like Outlook and Teams, raising broader concerns about access to sensitive data, credential harvesting, and the long-term integrity of the systems.

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed the active exploitation of the vulnerability and added it to its catalog of Known Exploited Vulnerabilities on July 20.

The agency warns that even patched systems may remain vulnerable if attackers have already compromised them, emphasizing the importance of a rapid response and continuous monitoring.

CISA recommends deploying Microsoft Defender, enabling AMSI, updating detection rules, reviewing recent POST activity to known exploit patterns, and auditing admin access and logging protocols.

This exploit affects only on-premise servers, not cloud-based Microsoft 365 deployments. Still, the scale of the breach — impacting federal systems, energy infrastructure, international telecom companies, and at least one eastern US state legislature — demonstrates how quickly a single vulnerability can escalate into a global crisis. Some agencies lost access to core public document repositories, while others face the possibility of persistent backdoors.

County governments should assess their systems, follow mitigation guidance, and prepare for the possibility of further escalation.

Visit the Microsoft website for technical details, detection tools, and ongoing updates.

CISA also recommends Eye Security’s reporting for detailed findings and more information.

Ransomware Reality: Communicating Through a Cyberattack – An Interactive Exercise

As ransomware and phishing threats continue to rise, this breach underscores the importance of robust internal coordination and pre-event planning. Clear communication during a cyber incident remains a serious challenge, especially when critical services go offline or public data is at risk.

At MACo’s Summer Conference, Ransomware Reality: Communicating Through a Cyberattack – An Interactive Exercise will put county leaders in the middle of a live cyber incident, navigating real-time decisions about resident alerts, internal coordination, and media response. The session will close with expert takeaways on what worked, what didn’t, and how to bolster county readiness.

MACo’s Summer Conference, “Resilient. Responsive. Ready.,” is August 13-16, 2025, at the Roland Powell Convention Center in Ocean City, Maryland. This year’s theme is “Funding the Future: The Evolving Role of Local Government.” For more information, please visit the conference website.

Learn more about MACo’s Summer Conference: