Four critical zero-day vulnerabilities have been discovered in SharePoint Server 2016, 2019, and Subscription Edition, allowing attackers to remotely take control of systems without authentication. Critically, when two of these vulnerabilities are exploited together, hackers can gain deep access into systems and maintain long-term persistence. This creates an “ideal environment” for Advanced Persistent Threat (APT) campaigns aimed at espionage, data theft, or encrypting sensitive information.
These vulnerabilities are already being actively exploited in multiple countries. At least 85 SharePoint servers have been implanted with malicious web shells, affecting 29 organizations worldwide. Victims include several multinational corporations and government agencies, among them the U.S. National Nuclear Security Administration (NNSA).
In Vietnam, SharePoint Server is widely used for document management in government agencies, organizations, and large enterprises in the technology and financial sectors. Although no domestic incidents have been recorded so far, the risk of exploitation is considered very high, especially for organizations running on-premises SharePoint Server deployments without timely security patching. Attacks may originate from inside the internal network, using sophisticated techniques that are difficult to detect. Hackers can stealthily compromise a single workstation, then silently scan, expand control, and gradually take over the entire system.
APT groups often seize such opportunities—when unpatched vulnerabilities exist—to infiltrate and maintain long-term presence. Bkav strongly urges system administrators to urgently review and tighten internal access rights to block potential insider threats.
For ministries or agencies that have granted access permissions to local units, it is essential to immediately review and restrict these rights if the system has not been patched or adequately mitigated. Patches for these vulnerabilities should be applied as soon as possible.
Organizations should also enhance monitoring measures, restrict external access, deploy Web Application Firewalls (WAF), monitor system access logs, and set up early-warning mechanisms for suspicious activity.
For units without a dedicated information security team, it is advised to proactively contact incident response centers for timely consultation and support.
SharePoint Server is Microsoft’s enterprise document management and collaboration platform. It enables centralized storage, sharing, search, and management of documents, as well as building internal websites (Intranet), corporate portals, and deep integration with Microsoft Office and Microsoft 365 to improve teamwork efficiency.
Bkav
