A Microsoft sign is visible at the tech giant’s main office in Redmond, Washington, U.S. (Photo: Matt Mills McKnight/Reuters, File)
A critical flaw in Microsoft’s SharePoint server software—discovered months ago—was not properly fixed by the tech giant, giving hackers a doorway into sensitive systems across the globe. The flawed patch, released in early July, failed to close the vulnerability, leading to what experts believe is an expanding cyber espionage campaign.
A Patch That Didn't Protect
The issue began in May at a cybersecurity event in Berlin hosted by Trend Micro. There, a researcher from Viettel, a Vietnam-based telecom firm, identified the security flaw in Microsoft SharePoint and dubbed it "ToolShell." His discovery earned him a $100,000 reward.
However, instead of permanently patching the issue, Microsoft's first fix released in early July didn’t fully work. According to a spokesperson, the company released additional updates after realizing the flaw persisted. Unfortunately, by the time these new patches were rolled out, hackers had already started exploiting the gap.
A Growing Global Attack
Around 100 organizations were hit over the weekend following the failed fix, and cybersecurity experts expect more attacks to follow. Microsoft's blog revealed that at least three hacking groups based in China—two known as “Linen Typhoon” and “Violet Typhoon”—were actively using the vulnerability.
While China’s embassy in Washington denied involvement, claiming opposition to all cyberattacks, suspicions remain high given their history of state-linked hacking accusations.
Nuclear and Government Targets at Risk
The scope of the attack has been alarming. Bloomberg News reported that the U.S. National Nuclear Security Administration, which oversees the country’s nuclear weapons, was among the agencies breached. Thankfully, no sensitive or classified data has been reported stolen so far.
Cybersecurity watchdogs also flagged banks, healthcare providers, state agencies, and major industries across the U.S. and Germany as potential victims. The Shadowserver Foundation, which tracks online vulnerabilities, said over 9,000 SharePoint servers are potentially exposed to the ToolShell exploit, with most located in the U.S. and Germany.
Security Community Raises Alarm
British cybersecurity firm Sophos pointed out that hackers found ways to bypass Microsoft’s initial patch quickly. They noted a spike in suspicious activity targeting SharePoint servers just days after Microsoft claimed to have fixed the issue.
Trend Micro emphasized that companies participating in the Berlin event were expected to respond to flaws swiftly and effectively. However, they acknowledged that software patches can fail at times—SharePoint has had such problems before.
Germany’s federal cybersecurity agency confirmed that while some government servers were vulnerable, no actual breaches were detected within their networks.
