Widely disseminated Microsoft security flaw in Germany - Widespread security breach hits Microsoft systems across Germany
Breaking: Widespread Exploitation of Microsoft SharePoint Zero-Day Vulnerability Affects German Organizations
A critical vulnerability in Microsoft's SharePoint software, known as CVE-2025-53770 or "ToolShell," has been actively exploited globally since early July 2025. Over 4600 compromise attempts on more than 300 organizations worldwide, including targets in Germany, have been observed.
According to recent reports, Germany ranks third worldwide in terms of confirmed cases of this vulnerability, with 42 infected servers identified within the country. The USA has the highest number of confirmed cases, accounting for 18%, followed by Mauritius with 8%, and the UK, France, Spain, Netherlands, and Italy each with 4% [1][2][3].
The attacks on Microsoft's SharePoint software were strategically targeted, with criminal groups now actively using compromised SharePoint access for potential ransomware attacks. Eye Security, a cybersecurity firm, warns that small and medium-sized businesses in Europe, particularly those relying on on-premises solutions and lacking continuous security monitoring, are increasingly becoming targets [4].
Lodi Hensen, VP Security Operations at Eye Security, stated that the attacks were not opportunistic. "The attackers knew what they were looking for," he said. The vulnerability in Microsoft's SharePoint software is affecting German companies, authorities, and educational institutions the most in Europe [1].
Microsoft attributes the first attacks to Chinese groups: Linen Typhoon, Violet Typhoon, and Storm-2603. The danger from these attacks is not over yet, and it is crucial for organizations to take immediate action [1][2][3].
Recommended Protection Measures for Small Businesses
- Immediate Patching and Updates: Microsoft has partially released patches for some affected SharePoint versions, but not yet for all. Small businesses should apply all available SharePoint security updates immediately once released.
- Enable and Configure Antimalware Scan Interface (AMSI): Microsoft advises turning on and properly configuring AMSI within SharePoint installations to detect and block malicious scripts and payloads.
- Isolation of SharePoint Servers: If patches are not yet available or can't be immediately applied, disconnect SharePoint servers from the internet or other untrusted networks where possible to minimize attack exposure.
- Harden Access Controls: Review and strengthen access credentials, implement strict multi-factor authentication (MFA), network segmentation, and limit privileged access. Monitor for suspicious activity bypassing MFA due to the exploit’s capability to circumvent it.
- Monitor for Indicators of Compromise (IoCs): Utilize threat intelligence feeds from vendors like Check Point or Trellix to track exploitation attempts. Watch for unusual access patterns, unknown webshells, or cryptographic key theft attempts.
- Backup and Incident Response Plans: Maintain up-to-date backups and verify restoration procedures. Prepare for rapid incident response if compromise is suspected.
Small businesses in Germany should coordinate with local cybersecurity authorities and leverage expert consultations, such as those offered by Check Point Research, to assess vulnerability exposure and implement protection tailored to their environments.
In summary, the SharePoint zero-day vulnerability poses an urgent, critical risk to German organizations, including small businesses, due to widespread exploitation and its severe capabilities. Immediate patching, server isolation, enhanced malware defenses, and access control measures are essential to mitigate impact.
[1] Microsoft Security Response Centre Blog (2025). Microsoft SharePoint zero-day vulnerability (CVE-2025-53770) under active exploitation
[2] Check Point Research (2025). CVE-2025-53770: Microsoft SharePoint Zero-Day Vulnerability Under Active Attacks
[3] Trellix (2025). Microsoft SharePoint Zero-Day Vulnerability (CVE-2025-53770) Under Active Exploitation
[4] Eye Security (2025). Microsoft SharePoint Zero-Day Vulnerability (CVE-2025-53770) Under Active Exploitation
To minimize the impact of the widespread exploitation of the Microsoft SharePoint zero-day vulnerability (CVE-2025-53770), it is vital for German organizations to take immediate steps to secure their systems. This includes vocational training in cybersecurity for both technical and non-technical staff to understand the risks and best practices for security enhancement.
In response to the growing concern of cybercrime, authorities in the community should focus on implementing policies that promote technology education and general-news initiatives recognizing the significance of cybersecurity for small businesses and the overall economy.
