A newly discovered zero-day vulnerability in Microsoft SharePoint has triggered a global cybersecurity incident, with at least 100 organizations confirmed breached and thousands more potentially exposed.
The exploit, dubbed “ToolShell” by researchers, gives attackers full access to SharePoint servers. It lets them run commands, move laterally across networks, and drop persistent backdoors that can remain even after patching. In other words, this isn’t just a breach. It’s a digital skeleton key.
The campaign was first spotted by Dutch cybersecurity firm Eye Security on July 18. Since then, threat intel group Shadowserver has confirmed dozens of successful intrusions, many targeting sensitive infrastructure in the US and Germany. Microsoft issued emergency patches on July 20 for SharePoint Server 2019 and the Subscription Edition, but a fix for SharePoint 2016 is still in the works. That’s a problem, because many public and private institutions are still running the older version and may not even know they’re exposed.
Google’s Mandiant team has linked the attack to a state-sponsored actor with ties to China, although Microsoft has not officially confirmed who is behind it. What is clear is that the breach is broad, active, and highly sophisticated. According to Shodan data, roughly 8,000 to 9,000 SharePoint servers are internet-facing and are prime targets if they haven’t been patched.
“This isn’t your usual smash and grab ransomware play,” said one security researcher familiar with the case. “This is espionage-level stealth with a focus on persistence. Even if you patch now, if they were in before, they might still be there.”
The US Cybersecurity and Infrastructure Security Agency (CISA), along with agencies in the UK and Europe, are urging organizations to disconnect vulnerable SharePoint instances from the internet, rotate passwords and cryptographic keys, and conduct full incident response reviews. The fear is that compromised systems may already be leaking sensitive data or providing quiet access to broader networks.
If there’s one silver lining, it’s that SharePoint Online, Microsoft’s cloud-based platform, is not affected. That has reignited the ongoing debate about the future of on-prem infrastructure. For many IT teams, this is yet another reason to accelerate their shift to the cloud or at least get serious about patch management and vulnerability scanning.
Microsoft says it’s working on a fix for the 2016 version and is helping affected customers investigate. In the meantime, security professionals are recommending that organizations treat every unpatched SharePoint server as potentially compromised and respond accordingly.
The fallout from this one is just getting started.
Story originally reported by Reuters: James Pearson and Raphael Satter, (c) 2025 Reuters
