What to know about a vulnerability being exploited on Microsoft
SharePoint servers
[July 22, 2025] By
SHAWN CHEN
NEW YORK (AP) — Microsoft has issued an emergency fix to close off a
vulnerability in Microsoft’s widely-used SharePoint software that
hackers have exploited to carry out widespread attacks on businesses and
at least some U.S. government agencies.
The company issued an alert to customers Saturday saying it was aware of
the zero-day exploit being used to conduct attacks and that it was
working to patch the issue. Microsoft updated its guidance Sunday with
instructions to fix the problem for SharePoint Server 2019 and
SharePoint Server Subscription Edition. Engineers were still working on
a fix for the older SharePoint Server 2016 software.
“Anybody who’s got a hosted SharePoint server has got a problem,” said
Adam Meyers, senior vice president with CrowdStrike, a cybersecurity
firm. “It’s a significant vulnerability.”
Companies and government agencies around the world use SharePoint for
internal document management, data organization and collaboration.
What is a zero-day exploit?
A zero-day exploit is a cyberattack that takes advantage of a previously
unknown security vulnerability. "Zero-day" refers to the fact that the
security engineers have had zero days to develop a fix for the
vulnerability.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA),
the exploit affecting SharePoint is "a variant of the existing
vulnerability CVE-2025-49706 and poses a risk to organizations with
on-premise SharePoint servers.”
Security researchers warn that the exploit, reportedly known as “ToolShell,”
is a serious one and can allow actors to fully access SharePoint file
systems, including services connected to SharePoint, such as Teams and
OneDrive.
Google’s Threat Intelligence Group warned that the vulnerability may
allow bad actors to "bypass future patching.”
How widespread is the impact?
Eye Security said in its blog post that it scanned over 8,000 SharePoint
servers worldwide and discovered that at least dozens of systems were
compromised. The cybersecurity company said the attacks likely began on
July 18.
[to top of second column] |
The Microsoft company logo is displayed at their offices in Sydney,
Australia, on Feb. 3, 2021. (AP Photo/Rick Rycroft, File)
 Microsoft said the vulnerability
affects only on-site SharePoint servers used within businesses or
organizations, and does not affect Microsoft’s cloud-based
SharePoint Online service.
But Michael Sikorski, CTO and Head of Threat Intelligence for Unit
42 at Palo Alto Networks, warns that the exploit still leaves many
potentially exposed to bad actors.
“While cloud environments remain unaffected, on-prem SharePoint
deployments — particularly within government, schools, health care
including hospitals, and large enterprise companies — are at
immediate risk."
What do you do now?
The vulnerability targets SharePoint server software so customers of
that product will want to immediately follow Microsoft's guidance to
patch their on-site systems.
Although the scope of the attack is still being assessed, CISA
warned that the impact could be widespread and recommended that any
servers impacted by the exploit should be disconnected from the
internet until they are patched.
“We are urging organizations who are running on-prem SharePoint to
take action immediately and apply all relevant patches now and as
they become available, rotate all cryptographic material, and engage
professional incident response. An immediate, band-aid fix would be
to unplug your Microsoft SharePoint from the internet until a patch
is available,” Sikorski advises.
All contents © copyright 2025 Associated Press. All rights reserved
 |
