The Microsoft Company logo will be on display at its Sydney office on February 3, 2021. Credits: AP Photo/Rick Rycroft, File
Microsoft has issued an emergency fix to close a vulnerability in Microsoft’s widely used SharePoint software that hackers have leveraged to carry out widespread attacks against businesses and at least some US government agencies.
The company warned customers on Saturday, saying it is aware it is working to patch the zero-day exploits and issues that are being used to carry out the attack. Microsoft updated its Sunday guidance with instructions to fix issues with SharePoint Server 2019 and SharePoint Server subscription editions. The engineers were still working on fixing the old SharePoint Server 2016 software.
“Everyone has a hosted SharePoint server has a problem,” said Adam Meyers, senior vice president of CrowdStrike, a cybersecurity company. “It’s a serious vulnerability.”
Businesses and government agencies around the world use SharePoint for internal document management, data organization and collaboration.
What is a Zero Day Exploit?
Zero-Day Exploits are cyberattacks that exploit previously unknown security vulnerabilities. “Zero Day” refers to the fact that a security engineer spent zero days developing a fix for a vulnerability.
According to the US Cybersecurity and Infrastructure Security Agency (CISA), the exploits affecting SharePoint are “a variant of existing vulnerability CVE-2025-49706, pose risks to organizations with on-premises SharePoint servers.”
Security researchers warn that exploits known as “toolshells” are serious and can provide full access to SharePoint file systems, including teams and services connected to SharePoint such as OneDrive.
Google’s Threat Intelligence Group warned that the vulnerability could allow bad actors to “bypass future patching.”
How widespread is the impact?
In a blog post, Eye Security said it scanned over 8,000 SharePoint servers around the world and found at least dozens of systems at risk. The cybersecurity company said the attack likely began on July 18th.
Microsoft said the vulnerability only affects onsite SharePoint servers used within businesses and organizations, and does not affect Microsoft’s cloud-based SharePoint online services.
However, Michael Sikorski, CTO of Palo Alto Networks and head of threat intelligence for Unit 42 of the Palo Alto Networks, warns that the exploits are still exposed to many potentially bad actors.
“The cloud environment remains unaffected, but the rollout of on-prem share points, especially within government, schools including hospitals, healthcare including large businesses, and large businesses, is quickly at risk.”
What are you doing now?
Because the vulnerability targets SharePoint Server software, customers of that product want to patch their on-site systems to directly follow Microsoft guidance.
The scope of the attack is still being evaluated, but the CISA warned that the impact could be widespread and recommended that servers affected by the exploits disconnect from the Internet until patches occur.
“We are urging organizations running on-plain SharePoint to take action immediately, make all related patches available, become available, rotate all encrypted materials, and take professional incident response. The immediate band-aid fix is to unlock Microsoft SharePoint until patches are available.
©2025 Associated Press. Unauthorized reproduction is prohibited. This material will not be published, broadcast, rewritten or redistributed without permission.
Quote: What you need to know about vulnerabilities exploited in Microsoft SharePoint Servers (2025, July 21) is July 21, 2025 https://techxplore.com/news/2025-07-vulnerability-exploited-microsoft-sharepoint-servers.htmll
This document is subject to copyright. Apart from fair transactions for private research or research purposes, there is no part that is reproduced without written permission. Content is provided with information only.
