Microsoft cyberattack, critical level. ACN issues alert in Italy: what happened?

A critical attack. Near the maximum score by international standards: 9.8 out of 10. An attack whose consequences are currently incalculable and which has put governments and companies around the world on high alert. A group of hackers exploited a Microsoft security flaw. And they may have exploited it for days before it was discovered.

The alarm is spreading worldwide: the Cyber Alert Agency in Italy

The ?i alarm is spreading everywhere. It mainly concerns large companies and institutional sites. And it also affects Italy. The National Cybersecurity Agency issued an alert at 10:30 AM to all potentially affected parties (government agencies, large companies) warning of the severity of the attack. It recommends updating SharePoint immediately, following Microsoft's bulletins, and blocking suspicious requests. These actions will hopefully prevent more serious consequences. But at the moment, not all experts are convinced that the patches released by Microsoft are sufficient to resolve all the critical issues.

The attack is serious, several experts explain to Italian Tech, because it allows an attacker to gain access and potentially move freely within the system. The flaw (identified as CVE-2025-53770) has already been actively exploited by malicious actors online. According to the company, the vulnerability allows an unauthenticated remote attacker—one without credentials—to execute arbitrary code on the target server, potentially gaining complete control of the system.

Why this attack is particularly dangerous

What makes it particularly dangerous is the possibility of exploiting it simply by sending a manipulated web request, without the need for authentication.

The attack, it is explained, relies on a mechanism used by SharePoint to remember the state of pages between edits. Specifically, the vulnerability is located on the /ToolPane page. Within this page, SharePoint uses a hidden field in which it stores information in the form of encrypted objects.

However, without adequate controls, this data can be manipulated by an attacker who inserts malicious code into it. Once received and processed by the server, the code executes as if it were legitimate. Three versions of SharePoint are reportedly affected: Server subscription edition; Server 2019; and Server 2016. The attack confirms that the most popular enterprise platforms represent a prime target for cybercriminals.

The possibility of compromising a SharePoint server without credentials, through a simple web request, highlights the urgency of proactive IT security management. According to experts, those who fail to update promptly could find themselves victims of data theft, service disruptions, or the spread of malware within the internal network.

Iezzi (MaticMind): “They hit us to observe our response”

“SharePoint is the digital heart of ministries, regions, municipalities, energy companies, banks, and universities: the place where every essential document for services, tenders, supplies, and research is archived,” Pierguido Iezzi, Cybersecurity Director at Maticmind, commented to Italian Tech.

"In Italy, the risk is real, because SharePoint is present everywhere: from municipal offices that manage registry and tax records, to companies that control water and energy networks, to universities where sensitive data and research projects circulate. A single unauthorized access can result in the blocking of administrative procedures, the interruption of essential services (electricity, water, gas), the exfiltration of confidential data, and the paralysis of strategic activities," he adds.

A response to the dismantling of the Noname network?

But it's not just a technical issue. "We are faced with a clear example of a digital tactical-military bubble: an offensive ecosystem activated in response to specific events – such as the dismantling of the pro-Russian group NoName057(16) – which exploits ready-made tools, known vulnerabilities and hybrid actors (APTs, contractors, coordinated hacktivists) to strike in a targeted, rapid and coordinated manner. In this case, the attack on SharePoint is not just an attack, a response or a message: it could also be a test of our reaction capacity, a form of intelligence that measures patching times, official communications and the solidity of public-private relationships."

And he concludes: "Whoever attacked us didn't just want to hack our servers: they wanted to see how we would respond. And the target, in that case, was us."