Redazione RHC : 24 July 2025 08:12
In recent days, the global digital landscape has been rocked by a cybersecurity bug that affected on-premise Microsoft SharePoint servers, exposing thousands of organizations to cyber attacks.
These are not crises that unfolded in the space of a few days, but rather signs that reveal a systemic fragility that has matured over time within increasingly interconnected digital infrastructures. Two completely different but emblematic episodes that show how security is not a technical option, but a balancing act between control, culture and governance.
The attacks that exploited Microsoft SharePoint had very specific characteristics. It wasn’t a classic data exfiltration or ransomware with ransom demands, but something deeper: a zero-day flaw, not even known to the manufacturer at the time of the attack.
The targets were selected with surgical care. US federal agencies, European government agencies, universities, energy companies, Asian telecommunications companies. Attackers targeted on-premises installations—those SharePoint versions that organizations deliberately choose to keep in-house, considered more secure than the cloud. A misplaced trust.
Cybercriminals managed to gain privileged access by bypassing security controls such as multi-factor authentication (MFA) and single sign-on (SSO). Once inside, they moved with precision: stealing cryptographic keys, targeted exfiltration, and installing backdoors.
The key element is not just what was stolen, but what was left behind. Long-lasting access. The stolen keys potentially allow re-entry even after patches have been applied. The risk lies not only in the compromised data, but in the future possibility of an invisible return.
Microsoft has released patches for SharePoint Server 2019 and the Subscription Edition. However, the Enterprise 2016 version, still widely used today, remains vulnerable pending a specific update.
This delay, combined with the uncertainty surrounding the timing of the attack, poses an additional risk. As a researcher cited by the Washington Post pointed out, “releasing a patch on Monday or Tuesday doesn’t help those compromised in the last 72 hours.” The exposure window is sufficient for a well-organized attacker to establish a lasting presence on systems.
SharePoint is not an isolated service. It is deeply integrated with the entire Microsoft ecosystem: Teams, OneDrive, Outlook, Office. This interconnection, useful for productivity, is a risk multiplier. A compromise in SharePoint can open up access to the digital identity of the entire organisation. The recommendation, shared by several agencies including the FBI, CISA and the National Cybersecurity Agency, is drastic: disconnect vulnerable servers from the Internet. But not all organisations are prepared to do this. Often operational rigidity, lack of response processes or simply underestimation of the risk prevent quick and effective reactions.
In July 2024, a flawed update of CrowdStrike, one of the world’s leading providers of security solutions, triggered a global computer blackout. This problem caused many Windows machines around the world to crash. The scale of the incident, combined with the privileged nature of the software involved, produced a domino effect that also affected third-party services, revealing a fragility in the management of the global digital infrastructure. This was not a security bug related to cyber attacks as in the case of SharePoint, but a major disruption that gave everyone pause for thought.
Although different, the two cases clearly show that IT security is not a simple technical problem to be solved with tools and budgets. It is a matter of governance, of culture, of organisation. Those who operate illegally have an often underestimated advantage: they can operate without constraints. In the dark web, attackers freely share tools, exploits, stolen credentials and ready-made infrastructures. There are well-structured marketplaces, informal collaboration networks, support channels between criminal groups and even business models such as “hacking-as-a-service”.
In many organizations, security is still treated as a cost, a requirement, a checklist to be completed. But today, it is no longer possible to think of cybersecurity as a project to be activated and deactivated. It is an ongoing strategic function, requiring vision, intelligent investments, but above all, widespread awareness.
We need a culture that recognizes the value of prevention, control, and scenario simulation. A culture that invests in training, distributed responsibility, and the construction of more robust technological supply chains.
This shortcoming is compounded by a significant lack of clarity regarding what is actually possible in the cybersecurity field, often generating justified fears. Indeed, there is often a fear that protecting systems with certain methods could constitute a crime or, at least, represent an activity bordering on the law. This information vacuum creates uncertainty and hinders the adoption of effective defense measures.
University studies dedicated to cybersecurity have only recently emerged, and a long journey will still be necessary before a broad class of experts with transversal skills that integrate technical and legal knowledge is formed. Furthermore, in the current judicial system, there are no specific professional registers for cybersecurity experts. As a result, an expert’s work is often evaluated by consultants with limited expertise in the specific field, creating an unequal situation that further complicates the management and evaluation of cybersecurity practices.
Finally, these events bring the debate on digital and technological sovereignty back to the forefront. Europe has long had the idea of creating a single market for security products, favoring transparent, verifiable solutions that comply with continental regulations. But the fragmentation of political priorities has often slowed the implementation of these visions.
It’s not about building a European operating system, but about putting the ability to control and verify the critical components of our infrastructures at the center. Software with inspectable code, common standards, transparency on updates.
A strategy that today is no longer merely desirable. It’s necessary.
Redazione