A Missouri state spokesperson said that by Tuesday, its systems had not been breached in connection with CVE-2025-53770, the Microsoft SharePoint vulnerability that came to light over the weekend and which federal and state cybersecurity officials said has been exploited in a campaign affecting more than 400 organizations globally.
“For on-premises SharePoint users within our agencies, no breaches have been detected,” Shayne Martin said via email. He is the public information officer for Missouri’s Office of Administration, which oversees the state’s Information Technology Services Division (OA-ITSD).
“We’ve noted failed attempts to scan for this specific vulnerability, and we’re actively monitoring,” he said, indicating that “while we can’t offer specific guidance, we strongly advise other government entities to take this threat seriously and prepare accordingly.” OA-ITSD operates as a centralized IT provider for Missouri’s executive branch.
On Saturday, Microsoft Corp. and the federal Cybersecurity and Infrastructure Security Agency (CISA) alerted the U.S. security community that the vulnerability, now tracked as CVE-2025-53770, could affect on-premises SharePoint servers and was linked to active exploitation campaigns that allowed attackers to extract cryptographic materials. In a blog post Tuesday, Microsoft said it has observed three “Chinese nation-state actors” exploiting the vulnerability.
These and other organizations, including the Center for Internet Security, are distributing updated technical guidance and indicators of compromise. Bloomberg reported that Netherlands cybersecurity firm Eye Security identified more than 400 compromised entities across the public and private sectors. The report said that most affected organizations are in the U.S., followed by Mauritius, Jordan, South Africa and the Netherlands.
Missouri’s layered security approach and zero-trust architecture contributed to detecting and deflecting those attempts, Martin said. The state confirmed close coordination with Microsoft and prompt patching activity by internal SharePoint administrators.
In Indiana, CIO Kent Kroft of Tippecanoe County, a past president of GMIS Indiana, said discussion within the group’s Slack channel indicated that many or most members are using SharePoint in the cloud, and so were unaffected. Tippecanoe County has used the cloud version since about 2019. GMIS Indiana, an association of public-sector IT leaders across the state, has grown to about 150 members active on Slack in roughly four years.
His county, Kroft said, had on-premises SharePoint initially, but found moving to the cloud a more efficient solution. He recommended that organizations “weigh your capabilities against your needs.”
“If you can keep [workforce with] the skills, maybe on-prem is the way to go,” he said. “If you can’t, you should probably go cloud. But you need to sit down and evaluate each individual application.”
Officials in states with centralized IT organizations, including North Carolina and Missouri, pointed to visibility, coordination, layered defenses and communication as factors that helped them respond quickly to the SharePoint threat.
Microsoft’s guidance said that on-premises SharePoint Server 2016, 2019 and Subscription Edition are affected. Apply the latest security updates, deploy endpoint protection, and ensure the Antimalware Scan Interface is turned on and configured correctly, with an appropriate antivirus solution, it said. Disconnecting the server may be necessary, it indicated.
When North Carolina officials learned of the vulnerability, technologists checked to see if any SharePoint on-premises servers existed within the IT organization and found some did.
“You can’t protect what you don't know you have,” CISO Bernice Bond said Tuesday. “So having that visibility into your environment is critical. And that’s where we start with our agencies — understanding what assets they have, what systems are running and where their data lives.”
Microsoft also gave instructions on how to rotate SharePoint server ASP.NET machine keys.
If an exploit works, attackers steal those machine keys from the servers, Eye Security’s Vaisha Bernard, its chief hacker and co-owner, said Tuesday. “It’s like making copies of the master keys to the system. … With them, attackers can later enter the server with full administrator privileges.”
“So, the SharePoint servers need new sets of keys,” he said. “They’ve not only stolen those keys, but they also exposed them at a known location for everyone to see. Organizations need to rotate these keys.”
