Microsoft Patches Critical SharePoint Zero-Day Exploited in Attacks

Urgent update issued for widely-used collaboration software

Microsoft has released an emergency patch to address a severe vulnerability in its SharePoint software, a flaw that attackers have actively exploited to target businesses and some U.S. government entities.

Widespread Exploitation Detected

The tech giant confirmed Saturday it was aware of the zero-day exploit being used in ongoing attacks and had been working on a solution. Updates were provided Sunday for SharePoint Server 2019 and SharePoint Server Subscription Edition, with engineers still developing a fix for the older SharePoint Server 2016.

Adam Meyers, senior vice president at cybersecurity firm CrowdStrike, highlighted the severity, stating, Anybody who’s got a hosted SharePoint server has got a problem. It’s a significant vulnerability. SharePoint is extensively used for internal document management, data organization, and team collaboration by organizations globally.

Understanding the Zero-Day Threat

A zero-day exploit leverages a security flaw that is unknown to the vendor, leaving no time for a defensive patch. This particular exploit, reportedly named “ToolShell,” is considered a serious risk, potentially granting attackers full access to SharePoint file systems and connected services like Teams and OneDrive. Google’s Threat Intelligence Group cautioned that the vulnerability might enable malicious actors to bypass future patching.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) identified the exploit as a variant of CVE-2025-49706, posing a threat to organizations with on-premise SharePoint servers.

Impact and Scope of the Breach

Eye Security reported scanning over 8,000 SharePoint servers worldwide and found dozens of compromised systems, with attacks likely beginning around July 18. Microsoft has clarified that the vulnerability exclusively affects on-site SharePoint servers, not the cloud-based SharePoint Online service.

However, Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, warns of significant exposure for many. While cloud environments remain unaffected, on-prem SharePoint deployments — particularly within government, schools, health care including hospitals, and large enterprise companies — are at immediate risk.

The cybersecurity landscape is constantly evolving; for instance, a recent report by Mandiant in late 2023 detailed how a state-sponsored group exploited a zero-day vulnerability in Ivanti VPN devices, impacting numerous organizations globally (Mandiant 2024).

Mitigation and Best Practices

Organizations utilizing on-site SharePoint are urged to immediately follow Microsoft’s official guidance to patch their systems. CISA has advised that affected servers be disconnected from the internet until patches are applied, emphasizing the potential for widespread impact.

“We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response. An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,”

—Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks