Hundreds of organizations around the world suffered data breaches this week, as an array of hackers rushed to exploit a recently discovered vulnerability in older versions of the Microsoft file-sharing tool known as SharePoint. The string of breaches adds to an already urgent and complex dynamic: Institutions that are longtime SharePoint users can face increased risk by continuing to use the service, just as Microsoft is winding down support for a platform in favor of newer cloud offerings.
Microsoft said on Tuesday that, in addition to other actors, it has seen multiple China-linked hacking groups exploiting the flaw, which is specifically present in older versions of SharePoint that are self-hosted by organizations. It does not impact the newer, cloud-based version of SharePoint that Microsoft has been encouraging customers to adopt for many years. Bloomberg first reported on Wednesday that one of the victims is the United States National Nuclear Security Administration, which oversees and maintains US nuclear weapons.
“On-premises” or self-managed SharePoint servers are a popular target for hackers, because organizations often set them up such that they are exposed on the open internet and then forget about them or don’t want to allocate budget to replace them. Even if fixes are available, the owner may neglect to apply them. That’s not the case, though, with the bug that sparked this week’s wave of attacks. While it relates to a previous SharePoint vulnerability discovered at the Pwn2Own hacking competition in Berlin in May, the patch that Microsoft released earlier this month was itself flawed, meaning even organizations that did their security diligence were caught out. Microsoft scrambled this week to release a fix for the fix, or what the company called “more robust protections” in its security alert.
“At Microsoft, our commitment—anchored in the Secure Future Initiative—is to meet customers where they are,” said a Microsoft spokesperson in an emailed statement. “That means supporting organizations across the full spectrum of cloud adoption, including those managing on-premises systems.”
Microsoft still supports SharePoint Server versions 2016 and 2019 with security updates and other fixes, but both will reach what Microsoft calls “End of Support” on July 14, 2026. SharePoint Server 2013 and earlier have already reached end of life and receive only the most critical security updates through a paid service called “SharePoint Server Subscription Edition.” As a result, all SharePoint server versions are increasingly part of a digital backwater where the convenience of continuing to run the software comes with significant risk and potential exposure for users—particularly when SharePoint servers sit exposed on the internet.
“Years ago, Microsoft positioned SharePoint as a more secure replacement for old school Windows file-sharing tools, so that’s why organizations like government agencies invested in setting up those servers. And now they just run at no additional cost, versus a Microsoft365 subscription in the cloud that involves a subscription,” says Jake Williams, a longtime incident responder who is vice president of research and development at Hunter Strategy. “So Microsoft tries to nudge the holdouts by charging for extended support. But if you are exposing a SharePoint server to the internet, I would emphasize that you also have to budget for incident response, because that server will eventually get popped.”
