Critical flaw exploited in global attacks on businesses, agencies
Microsoft has released an emergency patch for a major security vulnerability in its SharePoint Server software, following widespread cyberattacks that have impacted businesses and at least some U.S. government agencies. The flaw is being actively exploited by hackers using a zero-day technique, meaning the vulnerability was unknown before the attacks began.
The company issued initial warnings over the weekend and has provided updated guidance for users of SharePoint Server 2019 and SharePoint Server Subscription Edition. However, a fix for SharePoint Server 2016 remains in development. According to cybersecurity firm CrowdStrike, any organization hosting SharePoint locally is at significant risk.
Zero-day exploit allows deep access to systems
The exploit, referred to as “ToolShell” by security researchers, is a variant of CVE-2025-49706 and can provide attackers with full access to SharePoint environments, including integrations with Microsoft Teams and OneDrive. Google’s Threat Intelligence Group warned that the flaw could even allow future security patches to be bypassed.
This zero-day attack underscores the urgency, as defenders had zero time to react before attackers began taking advantage of the vulnerability. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed the nature of the threat and its risk to organizations operating on-premise SharePoint servers.
Widespread compromise confirmed across global systems
Eye Security scanned over 8,000 SharePoint servers globally and found dozens already compromised. These attacks appear to have begun around July 18 and continue to spread. While Microsoft 365 cloud users remain unaffected, the exploit specifically targets organizations running local installations of SharePoint — a common setup among governments, hospitals, schools and large enterprises.
Michael Sikorski, CTO at Palo Alto Networks’ Unit 42, emphasized that these institutions are particularly vulnerable, given their reliance on on-premise infrastructure. The threat extends to connected services and has the potential for widespread disruption and data theft.
Immediate action required for on-site SharePoint users
Microsoft urges all affected users to apply available patches without delay. Organizations using the 2016 version must remain alert until a fix is issued. In the meantime, cybersecurity experts advise disconnecting vulnerable servers from the internet to prevent further intrusion.
CISA also recommends rotating cryptographic credentials and engaging professional incident response teams. The attack highlights ongoing challenges in defending legacy infrastructure and the critical importance of rapid patch deployment in today’s cyber threat landscape.