Article illustration 1

A wave of data breaches swept across hundreds of global organizations this week, exploiting a critical vulnerability in older, self-managed versions of Microsoft SharePoint Server. The attacks, attributed by Microsoft to multiple actors including China-linked groups, highlight the escalating security risks faced by institutions clinging to on-premises infrastructure as the tech giant phases out support in favor of cloud offerings. Among the confirmed victims is the United States National Nuclear Security Administration (NNSA), responsible for maintaining the US nuclear arsenal.

The vulnerability, tracked as CVE-2023-29357, stems from a flaw initially discovered during the Pwn2Own Berlin hacking competition in May 2024. While Microsoft issued a patch earlier this month, that update itself contained critical flaws. This meant even organizations diligently applying patches remained vulnerable, forcing Microsoft to rush out a secondary fix this week – what the company termed "more robust protections" in its advisory. The flaw specifically impacts self-hosted SharePoint Server instances, not the cloud-based SharePoint Online service within Microsoft 365.

"For on-premises software like SharePoint, which is deeply integrated into the Microsoft identity stack, there are multiple points of exposure that need to be continuously monitored in order to know, expose, and close critical gaps," stated Bob Huber, Chief Security Officer at Tenable.

This incident throws a harsh spotlight on the precarious security posture of legacy systems. On-premises SharePoint servers are notoriously attractive targets:

  • Internet Exposure: Organizations often configure them to be accessible directly from the internet for convenience.
  • Neglect & Budget Constraints: Once deployed, they become "set and forget" systems, with organizations reluctant to allocate budget for replacement or rigorous maintenance.
  • End-of-Life Looming: Microsoft still supports SharePoint Server 2016 and 2019 with security updates, but both reach "End of Support" on July 14, 2026. SharePoint Server 2013 and earlier are already end-of-life, receiving only critical updates via a costly paid extension service.

This creates a dangerous digital backwater. Jake Williams, VP of R&D at Hunter Strategy and a veteran incident responder, explains the bind: "Years ago, Microsoft positioned SharePoint as a more secure replacement for old school Windows file sharing... Now they just run at no additional cost, versus a Microsoft365 subscription. Microsoft tries to nudge the holdouts by charging for extended support. But if you are exposing a SharePoint server to the internet... you also have to budget for incident response, because that server will eventually get popped."

The US Cybersecurity and Infrastructure Security Agency (CISA) issued stark guidance: "CISA recommends disconnecting public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS)." This echoes Microsoft's long-standing push towards cloud adoption under its Secure Future Initiative. A Microsoft spokesperson emphasized, "Our commitment... is to meet customers where they are... including those managing on-premises systems," while simultaneously highlighting the benefits of modern cloud environments.

The Department of Energy, confirming the NNSA was impacted, downplayed the severity: "The Department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. NNSA is taking the appropriate action to mitigate risk and transition to other offerings as appropriate." This response starkly illustrates the security chasm between legacy on-prem and modern cloud deployments. The breach serves as a potent reminder: the true cost of maintaining aging, internet-exposed infrastructure often includes the inevitability of compromise.