FILE - The Microsoft logo is seen at its office in Sydney, Australia. (AP Photo/Rick Rycroft, File)
Microsoft has rolled out an urgent security fix to stop hackers from exploiting a dangerous vulnerability in its SharePoint software. This flaw has already been used to launch cyberattacks on several businesses and even some federal agencies. The threat, identified as a zero-day vulnerability, is being actively targeted by cybercriminals, making immediate action critical.
Over the weekend, Microsoft notified users about the issue and released specific guidance to address the problem in SharePoint Server 2019 and the SharePoint Server Subscription Edition. Engineers are still working on a solution for the older SharePoint Server 2016.
What’s a Zero-Day Exploit, and Why Is It Serious?
A zero-day exploit is a type of cyberattack that takes advantage of a security flaw before developers even know it exists. The term “zero-day” means that defenders have zero days to fix it once it’s discovered.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the current exploit is a variant of an existing vulnerability labeled CVE-2025-49706. The bug poses a significant threat to organizations using on-site SharePoint servers.
Cybersecurity experts have dubbed the exploit “ToolShell.” This tool can potentially give attackers full access to SharePoint’s file systems. Even services linked to SharePoint—like Microsoft Teams and OneDrive—can be affected, allowing hackers to move across systems with ease.
Perhaps more troubling, Google’s Threat Intelligence Group warns that this vulnerability may let attackers bypass future security updates as well, making it even harder to stop them once they’ve gained access.
How Far Has the Damage Spread?
In a blog post, cybersecurity firm Eye Security revealed that it scanned more than 8,000 SharePoint servers across the globe. Dozens of these were already compromised, and the attacks likely began on July 18.
While it’s too early to know the full extent of the damage, CISA has advised that any affected servers should be taken offline immediately until proper patches are installed. The agency is treating the situation as a high-level threat due to the scale and speed of the attacks.
Organizations relying on SharePoint for file storage, internal communication, or cloud services need to act fast. If unpatched, this flaw could leave sensitive information wide open to cybercriminals.
What Should Users Do Now?
If your organization uses SharePoint Server 2019 or the Subscription Edition, follow Microsoft’s latest patch instructions immediately. If you’re still running SharePoint Server 2016, stay alert for updates and take preventive steps like temporarily removing internet access to your servers.
This vulnerability is a strong reminder that staying up to date with security patches isn't just good practice—it’s essential.
