We need more Red Hat and less Microsoft in the on-prem enterprise business. These exploitable vulnerabilities are unacceptable when your customers are the likes of DoD.
No one considers Google anything less than an impenetrable fortress, but when it's some government entity responsible for keeping American lives safe it's like "ah yeah they probably have a vulnerable on-prem Sharepoint that could easily be pwned."
So why is this? Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already? Isn't security the number one priority in those spaces?
It’s kind of wild how we end up here over and over, a big government breach, angry headlines, but the tech never seems to change (imo).
If you work in IT, this whole SharePoint story is probably a deja vu,
A few real-world points that stood out to me:
- SharePoint (and a lot of other MS stuff) didn’t win because it was bulletproof, just because it was bundled “FREE” and nobody got fired for rolling it out in the 2000s. Once you’re deep into the Microsoft ecosystem, the cost and pain of replaccing is huge!
- Security honestly feels like a service for a lot of giants. When someone asks if it’s the number one priority, the answer from experiencem, is “no.”
Cost, compliance available support, and how easy it is to blame a vendor if things fail tend to matter more.
- When people say Linux would be more secure in these environments, maybe. But if Linux or Red Hat took over everywhere, you can bet it would become the juiciest target immediately. Right now, Windows gets a lot of attention because it’s everywhere. And obviously, attackers like to go where the odds of a big payoff are highest.
- A lot of giants aren’t making decisions based only on security or technical merit. It’s about familiarity, employee training costs, consulting partners, and “safe” bets. If you pick Microsoft and get breached, it’s an industry problem. If you pick something niche and get breached... it’s 100% your fault.
- Resistance to change is real. Swapping out platforms isn’t just a technical lift. Management, end users, even IT staff get pretty set in their ways.
Honestly, unless there’s enough public backlash or a relgulation hammer, I don’t see the inertia breaking any time soon. For most companies, “patch and carry on” still beats “burn it all down and start fresh.”
> CISA advises vulnerable organizations [...] to disconnect affected products from the public-facing Internet until an official patch is available.
It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
I have spent far too much of my life on SharePoint.
Having it internet facing has never been a good idea.
Not really what it is meant for, though the promo verbiage
on that has changed over different versions.
Some folks wanted SharePoint as their "web server",
I would set that installation up entirely separted from
all other instances they may have on the network.
> “Anybody who’s got a hosted SharePoint server has got a problem,” said Adam Meyers, senior vice president with CrowdStrike, a cybersecurity firm. “It’s a significant vulnerability.’’
Senior VP at CrowdStrike, so a professional in destroying large amounts of systems.
Meanwhile, Citrix has been on fire causing much worse things (you can just grab any session you want and become anyone who's already logged in). Who needs to break into SharePoint when you're becoming someone who's already got access... including to everything else (not just SharePoint)
It's patchable, but it's been two times in a row now, and patching is always slow and incomplete.
I was just building a SharePoint integration for some enterprise customers (I do RAG on their data) and I find it brutal, that now, I have access to all their SharePoint data for all SharePoint sites. Even the ones I don't want to index. And I even use user login over admin/service key login.
AFAIK, the Oauth claims of SharePoint don't allow specifying particular projects only.
(BTW: same counts for platforms like ACC/BIM360)
The root cause might less be whether an entity uses Linux or Windows but whether they use cloud or on-prem. No matter how skilled, the on-prem stuff getting maintained by IT/SOC (often external contractors) are unlikely to deliver the same level of diligence as one of the big cloud vendors.
Things are so complex we have critical bugs everywhere that can not be patched without major breakage. So what does a diligent org do? they make a risk-assessment to explain things away for legal & compliance purposes.
check your SCA/SBOM in any/most stacks if you think this is untrue ...
At the risk of massive downvotes, I have to admit that a small part of me wants this so that maybe corporations stop using Sharepoint as soon as possible.
Seriously, I haven't used it since 2017, but every time I used it then it was the worst part of my day. I used to have a shirt that said SHarepoIT Happens that I would wear to work, and it seemed like the one thing I could get my coworkers agree on was that Sharepoint is terrible and we'd rather use anything else.
If Sharepoint was an animal it would be a Duck-billed Platypus. I never understood why it got the degree of use that it did, even as a free product it was always best avoided. Everything seemed to be tacked on at a different angle from the normal one with broken interfaces in between.
It is instructive that we are seeing the results of DOGE's work:
"The process took six hours Saturday night — much longer than it otherwise would have, because the threat-intelligence and incident-response teams have been cut by 65 percent as CISA slashed funding, Rose said."
Haha, Microsoft, the source of all the leaks, it's always Microsoft, quick, let's give Microsoft even more government contracts! They truly are the best!
this is barely one year after the CSRB recommended: "...Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources. In all instances, security risks should be
fully and appropriately assessed and addressed before new features are deployed."
These recommendations followed a review of MS practices following the Exchange online compromise. I highly doubt anything changed at MS since then.
I got a 502 Bad Gateway for all our onprem SP sites for a few minutes last night, which is very unusual. Wondering if this had something to do with that.
I don't understand why anyone uses SharePoint. The product is extremely low quality. I have never met a happy SharePoint user. Now we also learn that it's insecure as well as having a horrible user experience.
If I am ever on the board of a company, I will always vote no confidence in the dipshit CTO or founder that willingly install/mandate use of Microsoft junk in the company.
As a corporate drone that has accidentally opened various Microsoft office suite links inside of Teams. My dislike for anything Microsoft continues to grow.
Am I surprised that sharepoint has vulnerabilities? Hell no.
It's not right to victim blame but it's also not wrong. Akin to investing lots of money in a stock. If you took the risks of maintaining a public SharePoint server in 2025, here's your very bad day.
Something to understand about the word “leak” is that it implies at some point it was keeping things in. Microsoft security is so underfunded and garbage, it is fundamentally making technology as a whole unsafe.
Example: if Kroger or whatever your supermarket of choice distributed meat that was infected they would get sued to bits. Microsoft distributes thousands of malicious NPM dependencies and underfund the NPM security team - if there is such a thing - resulting in an entire industry of supplychain security companies to exist. No other registry has the issue of malicious packages as badly as NPM since Microsoft acquired Github.
Microsoft just does not know how to handle security, which is why so many security companies exist to fill their gaps. I don’t trust their security practices one bit tbh.
Global hack on Microsoft Sharepoint hits U.S., state agencies, researchers say
(washingtonpost.com)805 points by spenvo 20 July 2025 | 427 comments
Comments
No one considers Google anything less than an impenetrable fortress, but when it's some government entity responsible for keeping American lives safe it's like "ah yeah they probably have a vulnerable on-prem Sharepoint that could easily be pwned."
So why is this? Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already? Isn't security the number one priority in those spaces?
A few real-world points that stood out to me:
- SharePoint (and a lot of other MS stuff) didn’t win because it was bulletproof, just because it was bundled “FREE” and nobody got fired for rolling it out in the 2000s. Once you’re deep into the Microsoft ecosystem, the cost and pain of replaccing is huge!
- Security honestly feels like a service for a lot of giants. When someone asks if it’s the number one priority, the answer from experiencem, is “no.” Cost, compliance available support, and how easy it is to blame a vendor if things fail tend to matter more.
- When people say Linux would be more secure in these environments, maybe. But if Linux or Red Hat took over everywhere, you can bet it would become the juiciest target immediately. Right now, Windows gets a lot of attention because it’s everywhere. And obviously, attackers like to go where the odds of a big payoff are highest.
- A lot of giants aren’t making decisions based only on security or technical merit. It’s about familiarity, employee training costs, consulting partners, and “safe” bets. If you pick Microsoft and get breached, it’s an industry problem. If you pick something niche and get breached... it’s 100% your fault.
- Resistance to change is real. Swapping out platforms isn’t just a technical lift. Management, end users, even IT staff get pretty set in their ways.
Honestly, unless there’s enough public backlash or a relgulation hammer, I don’t see the inertia breaking any time soon. For most companies, “patch and carry on” still beats “burn it all down and start fresh.”
It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
Some folks wanted SharePoint as their "web server", I would set that installation up entirely separted from all other instances they may have on the network.
Senior VP at CrowdStrike, so a professional in destroying large amounts of systems.
> cybersecurity firm
Sure, might as well call it that.
It's the go-to warm-up joke whenever someone in the military gives a speech.
https://zerodaypublishing.com/feed
It's patchable, but it's been two times in a row now, and patching is always slow and incomplete.
AFAIK, the Oauth claims of SharePoint don't allow specifying particular projects only. (BTW: same counts for platforms like ACC/BIM360)
Things are so complex we have critical bugs everywhere that can not be patched without major breakage. So what does a diligent org do? they make a risk-assessment to explain things away for legal & compliance purposes.
check your SCA/SBOM in any/most stacks if you think this is untrue ...
Seriously, I haven't used it since 2017, but every time I used it then it was the worst part of my day. I used to have a shirt that said SHarepoIT Happens that I would wear to work, and it seemed like the one thing I could get my coworkers agree on was that Sharepoint is terrible and we'd rather use anything else.
"The process took six hours Saturday night — much longer than it otherwise would have, because the threat-intelligence and incident-response teams have been cut by 65 percent as CISA slashed funding, Rose said."
These recommendations followed a review of MS practices following the Exchange online compromise. I highly doubt anything changed at MS since then.
source: https://www.cisa.gov/sites/default/files/2025-03/CSRBReviewO...
How is this auditable?
As a corporate drone that has accidentally opened various Microsoft office suite links inside of Teams. My dislike for anything Microsoft continues to grow.
Am I surprised that sharepoint has vulnerabilities? Hell no.
Probably not since there are so many of these breaches people just ignore them.
I miss the old days when a breach involved someone breaking into the computer room and grabbing as many mag tapes as they can carry and run :)
https://www.muellershewrote.com/p/the-epstein-cover-up-at-th...
Related:
ToolShell Mass Exploitation (CVE-2025-53770) - https://research.eye.security/sharepoint-under-siege/ | https://news.ycombinator.com/item?id=44629133
Example: if Kroger or whatever your supermarket of choice distributed meat that was infected they would get sued to bits. Microsoft distributes thousands of malicious NPM dependencies and underfund the NPM security team - if there is such a thing - resulting in an entire industry of supplychain security companies to exist. No other registry has the issue of malicious packages as badly as NPM since Microsoft acquired Github.
Microsoft just does not know how to handle security, which is why so many security companies exist to fill their gaps. I don’t trust their security practices one bit tbh.