The Rapid7 September 2025 Threat Report highlights active exploitation of a critical Microsoft SharePoint vulnerability, CVE-2025-53770. This zero-day attack is being used by threat actors to gain initial access to victim networks, with exploitation observed in government as well as multiple other industries.
SharePoint remains a widely deployed collaboration platform in federal, state, and local agencies, resulting in the need for urgent attention among public sector organizations. The combination of its ubiquity and sensitive data handling makes it a prime target. Recent reporting shows attackers are moving fast to take advantage of this flaw, and many agencies faced tight deadlines this summer to apply mitigations under federal directives.
This isn’t the first time SharePoint has been targeted. Earlier this year, we analyzed this exploitation in depth in a previous blog. The September threat report now confirms that nefarious activity has accelerated, with attackers demonstrating a high level of interest in leveraging this vector against both commercial and government entities.
Why public sector agencies should pay close attention
Government systems are uniquely attractive targets. Agencies hold sensitive citizen data, manage critical infrastructure, and often operate under resource constraints that slow down patching cycles. SharePoint’s integration across agencies makes it a high-value target: Compromise of a single system can quickly escalate into broader access.
According to reporting, agencies had to scramble this summer to meet remediation deadlines set by the Cybersecurity and Infrastructure Security Agency (CISA). For state and local organizations without the same centralized directives, the challenge is even greater as many remain vulnerable while attackers continue to scan and exploit exposed SharePoint servers globally. Cumulatively, we know that:
-
Exploitation is ongoing. Threat actors continue to weaponize the vulnerability, with automated scanning campaigns followed by hands-on-keyboard activity once they gain access.
-
Targets are broad. Government, education, and healthcare organizations are among those most at risk due to widespread SharePoint use.
-
Post-exploitation tactics are consistent. Attackers are using the foothold to deploy web shells, move laterally, and harvest credentials, setting the stage for ransomware or data theft.
These key takeaways reinforce the urgency for public sector defenders to validate their exposure and strengthen monitoring.
Steps agencies can take now
To reduce risk and build resilience against SharePoint exploitation, public sector security teams should prioritize the following.
-
Patch or mitigate immediately. If you haven’t yet applied Microsoft’s security update for CVE-2025-53770, this is your top priority. For systems that cannot be patched quickly, apply CISA’s published workarounds.
-
Validate exposure. Use exposure management practices to confirm which systems are internet-facing and whether compensating controls are in place – visibility into your true attack surface is absolutely critical.
-
Hunt for signs of compromise. Review logs for unusual authentication attempts, web shell activity, or anomalous SharePoint process behavior. Rapid7 managed detection and response (MDR) customers benefit from proactive threat hunts that specifically look for exploitation indicators in environments like SharePoint.
-
Strengthen detection and response. Public sector agencies often lack 24/7 monitoring resources. MDR services can act as a force multiplier, helping agencies contain threats before they escalate.
Looking ahead
Attackers are opportunistic – as long as SharePoint remains essential to public sector collaboration, it will remain a target. By applying patches quickly, validating exposures, and investing in continuous detection, agencies can reduce the likelihood that a SharePoint compromise becomes a larger breach.
The threat report provides a deeper dive into the tactics we’re observing and recommendations for defense. For public sector leaders, this is a chance to take stock of current defenses, pressure-test monitoring, and ensure that your agency is positioned to withstand active exploitation campaigns.
Stay ahead of these threats. Read the full Rapid7 September 2025 Threat Report for a complete analysis and practical guidance.
