A previously unknown vulnerability in Microsoft’s SharePoint server software has been exploited in a large-scale cyber-espionage campaign, with around 100 organizations confirmed compromised as of the weekend, according to cybersecurity experts.

Microsoft issued an alert on Saturday warning of “active attacks” targeting self-hosted SharePoint servers, widely used by businesses and public institutions for internal collaboration and document sharing.

Cloud-hosted SharePoint instances managed by Microsoft remain unaffected.

The breach, categorized as a "zero-day" exploit due to its use of a previously undisclosed flaw, allows hackers to infiltrate vulnerable servers and potentially install persistent backdoors, granting ongoing access to victim networks.

Vaisha Bernard, chief hacker at Dutch cybersecurity firm Eye Security, which first flagged the breach on Friday after detecting unusual activity in a client’s system, said a scan conducted with the Shadow server Foundation identified nearly 100 affected systems even before the attack method became public knowledge.

“It’s clear-cut,” Bernard said. “And we don’t yet know how many more threat actors may have leveraged the flaw to insert hidden access points.”

Bernard declined to name the affected entities but confirmed that relevant national authorities have been notified.

Shadow server corroborated the scale of the breach, noting that most victims are based in the United States and Germany, with some government agencies among them.

While the current wave of intrusions appears linked to a single hacker or group, cybersecurity experts caution the situation could escalate quickly.

“This could evolve rapidly,” said Rafe Pilling, Threat Intelligence Director at British firm Sophos.

Microsoft has issued patches and urged organizations to apply them immediately. “We’ve released security updates and strongly encourage customers to install them,” a company spokesperson said via email.

Though the identity of the attackers remains uncertain, Google’s cybersecurity division has linked parts of the operation to a threat group with ties to China.

The Chinese Embassy in Washington did not respond to requests for comment. Beijing has consistently denied involvement in cyberattacks.

The FBI confirmed awareness of the breach and said it is working closely with government and private-sector partners. Britain’s National Cyber Security Centre also acknowledged “a limited number” of targets in the UK.

Early indicators suggest the campaign initially focused on government-related institutions, but the potential scope is far broader.

Data from Shodan, an internet-connected device search engine, reveals over 8,000 potentially vulnerable servers still exposed online. Shadow server placed that figure slightly higher at over 9,000, warning the actual number could be significantly greater.

Those at risk include major banks, auditing firms, healthcare providers, industrial companies, and several U.S. state and international government agencies.

“This SharePoint exploit appears to have triggered widespread compromise across diverse sectors,” said Daniel Card of UK-based cybersecurity firm PwnDefend.

“Organizations must not only patch the flaw but also operate under the assumption of breach and investigate for deeper intrusions.”