Security researchers say Microsoft customers should take immediate action to defend against the ongoing cyberattacks, and must assume they have already been compromised.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in an alert, said it's aware of active exploitation of CVE-2025-53770, which enables unauthenticated access to SharePoint systems and arbitrary code execution over the network.

Microsoft also has issued a patch for a related SharePoint vulnerability — CVE-2025-53771; Microsoft says there are no signs of active attacks on CVE-2025-53771, and that the patch is to provide more robust protections than the update for CVE-2025-49706.

The hackers behind the initial wave of attacks exploiting a zero-day in Microsoft SharePoint servers have so far primarily targeted government organizations, according to researchers and news reports.

Active SharePoint exploits since July 7 target governments and tech firms globally, risking key theft and persistent access.

More information has emerged on the ToolShell SharePoint zero-day attacks, including impact, victims, and threat actors.

Providing additional updates on the breach, Microsoft said in a blog post on Tuesday that two Chinese nation-state operators, Linen Typhoon and Violet Typhoon, exploited vulnerabilities in the internet-facing SharePoint servers.

A security patch released by Microsoft earlier this month failed to fully fix a critical flaw in the U.S. tech company's SharePoint server software that had been identified at a hacking competition in May,