Microsoft SharePoint Zero-Day Vulnerability Exploited: IP Addresses Identified

Microsoft SharePoint is a very popular document management platform. As part of the Microsoft ecosystem, integration is relatively easy, allowing faster collaboration among members, especially on working with a document. It’s also the choice for many businesses and other institutions, especially on SharePoint Online, where users can take advantage of the cloud to share and collaborate.

SharePoint’s role in handling sensitive information is extremely critical to the success of the company. Because of its role, it can be a target of attacks.

According to The Hacker News, a zero-day vulnerability was exploited by hackers for more than a week before its discovery. The attack on the vulnerability commenced on July 7, 2025, and has targeted various businesses and institutions.

Nature of Vulnerability and Source of Attack

The attack was discovered by Check Point Research. The exploit focuses on a Remote Code Execution (RCE) vulnerability of SharePoint that allows hackers to remotely access data without detection. According to the report, “this vulnerability affects on-premise Microsoft SharePoint servers, allowing unauthenticated attackers to gain full access and execute arbitrary code remotely.” These attacks were also believed to be persistent, which means they continue to access SharePoint servers unless a security patch is implemented.

The attacks primarily came from the following IP addresses: 104.238.159.149, 107.191.58.76, and 96.9.125.147. These IP addresses primarily target government institutions, software, and communication companies. The US, Canada, and select European countries have been the main targets of these IP addresses.

One of the IP addresses was also involved in an attack targeting Ivanti Endpoint Manager Mobile. As the name suggests, this is a security manager that focuses on securing mobile devices for enterprise use. The continuing attacks on various enterprise-focused tools mean these IP addresses are keen on finding vulnerabilities in larger sectors.

The Challenge of On-Premise Infrastructure

The attack on Microsoft SharePoint highlights the vulnerability of on-premise infrastructure. Although on-premise infrastructure provides faster data sharing and stability, centralized data could be exposed to different types of attacks. This is especially true when the on-premises server is not updated with the latest security measures.

Because of the potential dangers of on-premise infrastructures, businesses and institutions should ensure that security and protection are embedded in the design and setup. A single attack could easily compromise data, and it could be exposed to different types of exploits, such as ransomware and unauthorized data use.

A Continuous Cat-and-Mouse Game

One of the biggest challenges for any network administrator is to ensure smooth network use while preventing any form of security breaches. It is a constant cat-and-mouse game for network admins against security breaches because admins constantly have to patch their servers to prevent any type of unauthorized access and control.

The advent of on-premise infrastructure catering to collaboration through the network also increases the threat. Network administrators should also look out for anyone trying to bypass security vulnerabilities inherent in collaboration tools such as Microsoft SharePoint.

Aside from standard security measures like applying security patches as soon as possible, network administrators should also limit the number of public-facing SharePoint servers. Hackers often look for IP addresses of SharePoint servers and use the latest vulnerabilities to bypass security and remotely steal information.