Hackers exploit SharePoint flaw to breach servers, Microsoft issues fix

Hackers are using a serious flaw in SharePoint to attack companies and government servers; Microsoft has released an urgent fix and asked users to update their systems quickly

Don't want to miss the best from Business Standard?

Microsoft has rolled out an emergency security fix to address a serious vulnerability in its SharePoint software, which hackers are actively exploiting in cyberattacks targeting companies and US government agencies, Associated Press reported. 

Microsoft alerted users over the weekend, confirming that a zero-day exploit was being used and that they were working on a solution. On Sunday, the tech giant released instructions to patch the issue for SharePoint Server 2019 and SharePoint Server Subscription Edition. However, engineers are still working on a fix for the older SharePoint Server 2016. 

“Anybody who’s got a hosted SharePoint server has got a problem,” said Adam Meyers, senior vice president at cybersecurity firm CrowdStrike. “It’s a significant vulnerability.”     

 

Zero-day exploit

A zero-day exploit refers to a security flaw that has just been discovered and for which there is no fix yet, giving attackers a head start before security teams can respond. 

According to the US Cybersecurity and Infrastructure Security Agency (CISA), this new threat is a variant of an existing vulnerability (CVE-2025-49706). It mainly affects organisations using on-premise SharePoint servers. 

Cybersecurity experts have identified the exploit, dubbed “ToolShell”, which can allow attackers full access to SharePoint file systems. This may also impact other services linked to SharePoint, like Microsoft Teams and OneDrive, Associated Press reported. 

Google’s Threat Intelligence Group has warned that this vulnerability could potentially “bypass future patching”, making it even more dangerous.

 

Global impact and affected systems

Cybersecurity company Eye Security reported scanning more than 8,000 SharePoint servers globally. Their findings showed that at least several dozen had been compromised, and the attacks started on July 18. 

Microsoft clarified that this vulnerability affects only on-premise SharePoint servers and not the cloud-based SharePoint Online service. However, the risk remains high, particularly for critical sectors.

 

What should users do?

Organisations using on-premise SharePoint servers are strongly urged to apply Microsoft’s latest security guidance immediately. CISA has recommended that any impacted servers be taken offline until they are properly patched. 

Michael Sikorski, chief technology officer and head of Threat Intelligence for Unit 42 at Palo Alto Networks, said, “We are urging organisations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response.” 

Sikorski also suggested disconnecting Microsoft SharePoint from the internet as a temporary measure until a security patch is released.

 

CERT-In warns Microsoft users in India

Last week, the Indian Computer Emergency Response Team (CERT-In) issued a high-severity warning for users of Microsoft Windows and Office products. The agency flagged multiple security flaws that could put both individuals and enterprises at risk.

According to CERT-In, attackers could exploit these flaws to gain higher privileges, access sensitive data, execute remote code, and bypass security protocols. In some cases, they may also spoof identities, tamper with system settings, or trigger denial-of-service (DoS) attacks.   

  CERT-In has urged all users and IT administrators to apply necessary patches and take additional security measures to avoid potential exploitation.

 

[With agency inputs]