Emergency patches are being issued as government agencies and major industries race to respond.
A newly discovered vulnerability in Microsoft’s widely used SharePoint Server software has opened the door to a large-scale cyber espionage campaign, with researchers confirming that at least 100 organizations, including government agencies, have already been compromised.
The exploit, described as a zero-day attack, targets self-hosted versions of Microsoft SharePoint, a platform used globally by businesses, schools, hospitals, and government bodies for document management and internal collaboration. Cloud-based SharePoint Online remains unaffected.
Attackers Exploit a Zero-Day Flaw
The vulnerability, now tracked as CVE-2025-49706, allows hackers to bypass authentication and gain full access to a victim’s SharePoint environment. From there, they can deploy ToolShell, a sophisticated backdoor capable of exfiltrating data and maintaining persistent access across connected services, such as Microsoft Teams and OneDrive.
“This is a significant vulnerability,” said Adam Meyers, senior vice president at cybersecurity firm CrowdStrike. “Anybody who’s got a hosted SharePoint server has got a problem.”
The flaw was first uncovered last week by Netherlands-based cybersecurity firm Eye Security, which detected an intrusion at one of its clients. A broader scan conducted with the Shadowserver Foundation quickly revealed nearly 100 known victims, mostly in the United States and Germany, with affected entities spanning government, finance, healthcare, education, and critical infrastructure.
Security researchers believe the attack likely began around July 18 and suspect that many more organizations may already be compromised without being aware of it.
Microsoft Responds with Emergency Guidance
Microsoft issued a weekend alert urging organizations to take immediate action. The company provided mitigation steps for SharePoint Server 2019 and SharePoint Server Subscription Edition, while a patch for SharePoint Server 2016 remains in development. The company emphasized that cloud-hosted SharePoint Online is not affected.
A Microsoft spokesperson confirmed:
“We have provided security updates and encourage all affected customers to install them immediately.”
FBI, UK Authorities Monitor Situation
The FBI and the UK’s National Cyber Security Centre (NCSC) confirmed they are actively monitoring the situation. The NCSC noted a “limited number” of affected targets in the United Kingdom, while the FBI is working with federal and private-sector partners in the U.S. to investigate.
Currently, the attribution remains unclear. While some signs point to a single threat actor or group, experts warn that the scope of the attack may widen as other hackers reverse-engineer the exploit and copy the technique.
Thousands Potentially at Risk
According to internet search engine Shodan, more than 8,000 SharePoint servers are currently exposed online, any of which could potentially be vulnerable. These include systems operated by banks, auditing firms, healthcare providers, manufacturers, and state-level governments.
“The SharePoint incident appears to have created a broad level of compromise across a range of servers globally,” said Daniel Card, cybersecurity expert at PwnDefend.
“Just applying the patch isn’t enough. Organizations need to assume breach, rotate cryptographic materials, and perform full incident response.”
What Should Organizations Do Now?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging immediate action:
- Apply Microsoft’s patches as soon as available
- Disconnect vulnerable servers from the internet temporarily
- Rotate cryptographic keys and authentication tokens
- Engage professional incident response teams
- Audit for signs of backdoor access or unusual behavior
While cloud-based environments remain safe, on-premise deployments face immediate and ongoing risk. Microsoft and cybersecurity experts stress that patching alone may not be sufficient if systems have already been compromised.
Understanding Zero-Day Exploits
A zero-day exploit refers to a cyberattack that uses a software vulnerability before the vendor has released a fix, leaving defenders with zero days to respond. These exploits are perilous in enterprise environments where critical services rely on complex software stacks that may not be patched quickly.
This particular exploit is believed to be a variant of a known SharePoint flaw, but modified to evade detection and compromise systems undetected.
