Microsoft is dealing with a high-stakes security mess. A zero-day vulnerability in its on-premises SharePoint servers is under active attack, and close to 100 organizations are already affected. This isn't theoretical. The exploit was live, unpatched, and fully weaponized before defenders could catch up.
Who’s affected?

Private companies, government bodies, and enterprise-level users, basically anyone running SharePoint Server in-house. The attackers are gaining full access to compromised systems, using the flaw to drop malware, create backdoors, or silently monitor internal networks. The breach opens the door to credential theft, data leaks, and long-term surveillance.
Quiet in, quiet out
What makes this different is the stealth. There’s no flashy ransomware screen. The exploit slips in, sets up shop, and stays hidden. In most cases, it’s only discovered after unusual behaviour triggers deeper investigation. By then, attackers may have been inside for days or weeks.
The bigger issue with On-Prem
This attack also exposes a major blind spot: the false sense of security around on-prem enterprise software. Many orgs think local equals safe. But patching delays, outdated systems, and misconfigurations make these setups easy targets. Cloud services may have their issues, but when on-prem breaks, it breaks quietly, and hard.
What you should do now
If your organization uses SharePoint Server (on-prem), assume you're at risk. Run a full security audit, apply the latest patches, rotate access credentials, and check logs for signs of tampering. Waiting for “confirmed breach” alerts is not an option, the attackers won’t leave calling cards.
Patches are out (Sort Of)
Microsoft has started rolling out security updates, but not all versions are covered yet. That means many systems remain exposed. If you can’t patch immediately, isolate vulnerable machines and limit external access until a fix is available.
This breach is a clear reminder: sophisticated attackers are watching for slow movers. They don’t need to break the front door, they’ll wait for a side window to rust open. If you’re running legacy infrastructure, there’s no excuse to delay updates.