What to know about a vulnerability being exploited on Microsoft SharePoint servers
Microsoft has issued an emergency fix to close off a vulnerability in Microsoft's widely-used SharePoint software that hackers have exploited to carry out widespread attacks on businesses and at least some U.S. government agencies.
The company issued an alert to customers on July 19 saying it was aware of the zero-day exploit being used to conduct attacks and that it was working to patch the issue. Microsoft updated its guidance Sunday with instructions to fix the problem for SharePoint Server 2019 and SharePoint Server Subscription Edition. Engineers were still working on a fix for the older SharePoint Server 2016 software.
'Anybody who's got a hosted SharePoint server has got a problem,' said Adam Meyers, senior vice president with CrowdStrike, a cybersecurity firm. 'It's a significant vulnerability.'
Companies and government agencies around the world use SharePoint for internal document management, data organization and collaboration.
A zero-day exploit is a cyberattack that takes advantage of a previously unknown security vulnerability. "Zero-day" refers to the fact that the security engineers have had zero days to develop a fix for the vulnerability.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the exploit affecting SharePoint is "a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations with on-premise SharePoint servers.'
Security researchers warn that the exploit, reportedly known as 'ToolShell,' is a serious one and can allow actors to fully access SharePoint file systems, including services connected to SharePoint, such as Teams and OneDrive.
Google's Threat Intelligence Group warned that the vulnerability may allow bad actors to "bypass future patching.'
Eye Security said in its blog post that it scanned over 8,000 SharePoint servers worldwide and discovered that at least dozens of systems were compromised. The cybersecurity company said the attacks likely began on July 18.
Microsoft said the vulnerability affects only on-site SharePoint servers used within businesses or organizations, and does not affect Microsoft's cloud-based SharePoint Online service.
But Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, warns that the exploit still leaves many potentially exposed to bad actors.
'While cloud environments remain unaffected, on-prem SharePoint deployments — particularly within government, schools, health care including hospitals, and large enterprise companies — are at immediate risk."
The vulnerability targets SharePoint server software so customers of that product will want to immediately follow Microsoft's guidance to patch their on-site systems.
Although the scope of the attack is still being assessed, CISA warned that the impact could be widespread and recommended that any servers impacted by the exploit should be disconnected from the internet until they are patched.
'We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response. An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,' Sikorski advises.
© Copyright 2025 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Japan Times
17 hours ago
- Japan Times
Chinese hackers exploit Microsoft flaws with U.S. nuclear agency hit
Microsoft warned that Chinese state-sponsored hackers are among those exploiting flaws in its SharePoint software to break into institutions globally, with the U.S. agency responsible for designing nuclear weapons now among those breached. In a blog post, the tech giant identified two groups supported by the Chinese government, Linen Typhoon and Violet Typhoon, as leveraging flaws in the document-sharing software that rendered customers who run it on their own networks, as opposed to in the cloud, vulnerable. Another hacking group based in China, which Microsoft calls Storm-2603, also exploited them, according to the blog. The number of companies and agencies subjected to breaches as a result of these exploits is meanwhile mounting: Hackers have used the SharePoint flaws to break into the U.S. National Nuclear Security Administration, according to a person with knowledge of the matter who wasn't authorized to speak publicly. Bloomberg also reported Monday that systems belonging to the U.S. Education Department, Florida's Department of Revenue and the Island General Assembly were compromised. While Microsoft has patched its software in recent days, cybersecurity researchers have already detected breaches on more than 100 servers representing 60 victims thus far, including organizations in the energy sector, consulting firms and universities. Hackers have also exploited the software to break into the systems of national governments from Europe to the Middle East, according to a person familiar with the matter. The SharePoint flaws have been used in hacks since at least July 7, said Adam Meyers, senior vice president at CrowdStrike Holdings. Early exploitation resembled government-sponsored activity, and then spread more widely to include hacking that "looks like China,' Meyers said. CrowdStrike's investigation into the campaign is ongoing, he said. Microsoft said in its blog that its investigations into other threat actors using these exploits "is still ongoing.' The company said it has "high confidence' that hackers will "continue to integrate them into their attacks.' In a statement, the Chinese Embassy in Washington said China firmly opposes all forms of cyberattacks and cybercrime. In a blog post, Microsoft identified two groups supported by the Chinese government as leveraging flaws in SharePoint software. | Bloomberg "At the same time, we also firmly oppose smearing others without solid evidence,' it said. "We hope that relevant parties will adopt a professional and responsible attitude when characterizing cyber incidents, basing their conclusions on sufficient evidence rather than unfounded speculation and accusations.' No sensitive or classified information is known to have been compromised in the attack on the National Nuclear Security Administration, the person with knowledge of the breach said. The semiautonomous arm of the Energy Department is responsible for producing and dismantling nuclear arms. Other parts of the department were also compromised. An Energy Department spokesman said by email that the SharePoint exploitation began affecting the agency on July 18, but it was limited by the fact that the department uses Microsoft's cloud. Representatives of the U.S. Department of Education and Rhode Island legislature meanwhile didn't respond to calls and emails seeking comment. The Florida Department of Revenue said the SharePoint weaknesses were being investigated "at multiple levels of government' but declined further comment. The hackers have also breached the systems of a U.S.-based health care provider and targeted a public university in Southeast Asia, according to a report from a cybersecurity firm. The report doesn't identify either entity by name but says the hackers have attempted to breach SharePoint servers in countries including Brazil, Canada, Indonesia, Spain, South Africa, Switzerland, the U.K. and the U.S. The firm asked not to be named because of the sensitivity of the information. Hackers have stolen sign-in credentials, including usernames, passwords, hash codes and tokens, from some systems, according to a person familiar with the matter, who asked not to be identified discussing sensitive information. "This is a high-severity, high-urgency threat,' said Michael Sikorski, chief technology officer and head of threat intelligence for Unit 42 at Palo Alto Networks Inc. "What makes this especially concerning is SharePoint's deep integration with Microsoft's platform, including their services like Office, Teams, OneDrive and Outlook, which has all the information valuable to an attacker,' he said. The cyber firm Eye Security said the flaws allow hackers to access SharePoint servers and steal keys that can let them impersonate users or services even after the server is patched. It said hackers can maintain access through backdoors or modified components that can survive updates and reboots of systems. The breaches have drawn new scrutiny to Microsoft's efforts to shore up its security after a series of high-profile failures. The firm has hired executives from places like the U.S. government and holds weekly meetings with senior executives to make its software more resilient. The company's tech has been subject to several widespread and damaging hacks in recent years, and a 2024 U.S. government report described the company's security culture as in need of urgent reforms. Eye Security has detected compromises on more than 100 servers representing 60 victims, including organizations in the energy sector, consulting firms and universities. Victims were also located in Saudi Arabia, Vietnam, Oman and the United Arab Emirates, according to the company. In early July, Microsoft issued patches to fix the security holes, but hackers found another way in. "There were ways around the patches' that enabled hackers to break into SharePoint servers by tapping into similar vulnerabilities, said Vaisha Bernard, Eye Security's chief hacker and co-owner. "That allowed these attacks to happen.' The intrusions, he said, were not targeted and instead were aimed at compromising as many victims as possible. He declined to identify the organizations that had been targeted but said they included government agencies and private companies, including "bigger multinationals.' The victims were located in countries in North and South America, the European Union, South Africa and Australia, he said.
Yomiuri Shimbun
17 hours ago
- Yomiuri Shimbun
US Nuclear Weapons Agency Breached in Microsoft Sharepoint Hack, Bloomberg News Reports
July 22 (Reuters) – U.S. National Nuclear Security Administration was among those breached by a hack of Microsoft's document management software, Bloomberg News reported on Tuesday, citing a person with knowledge of the matter. Bloomberg reported that no sensitive or classified information is known to have been compromised in the attack on the National Nuclear Security Administration, the agency responsible for maintaining and designing the nation's cache of nuclear weapons. Reuters could not immediately verify the report. The U.S. Energy Department, U.S. Cybersecurity and Infrastructure Security Agency, and Microsoft did not immediately respond to request for comments from Reuters.
Japan Today
a day ago
- Japan Today
What to know about a vulnerability being exploited on Microsoft SharePoint servers
By SHAWN CHEN Microsoft has issued an emergency fix to close off a vulnerability in Microsoft's widely-used SharePoint software that hackers have exploited to carry out widespread attacks on businesses and at least some U.S. government agencies. The company issued an alert to customers on July 19 saying it was aware of the zero-day exploit being used to conduct attacks and that it was working to patch the issue. Microsoft updated its guidance Sunday with instructions to fix the problem for SharePoint Server 2019 and SharePoint Server Subscription Edition. Engineers were still working on a fix for the older SharePoint Server 2016 software. 'Anybody who's got a hosted SharePoint server has got a problem,' said Adam Meyers, senior vice president with CrowdStrike, a cybersecurity firm. 'It's a significant vulnerability.' Companies and government agencies around the world use SharePoint for internal document management, data organization and collaboration. A zero-day exploit is a cyberattack that takes advantage of a previously unknown security vulnerability. "Zero-day" refers to the fact that the security engineers have had zero days to develop a fix for the vulnerability. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the exploit affecting SharePoint is "a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations with on-premise SharePoint servers.' Security researchers warn that the exploit, reportedly known as 'ToolShell,' is a serious one and can allow actors to fully access SharePoint file systems, including services connected to SharePoint, such as Teams and OneDrive. Google's Threat Intelligence Group warned that the vulnerability may allow bad actors to "bypass future patching.' Eye Security said in its blog post that it scanned over 8,000 SharePoint servers worldwide and discovered that at least dozens of systems were compromised. The cybersecurity company said the attacks likely began on July 18. Microsoft said the vulnerability affects only on-site SharePoint servers used within businesses or organizations, and does not affect Microsoft's cloud-based SharePoint Online service. But Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, warns that the exploit still leaves many potentially exposed to bad actors. 'While cloud environments remain unaffected, on-prem SharePoint deployments — particularly within government, schools, health care including hospitals, and large enterprise companies — are at immediate risk." The vulnerability targets SharePoint server software so customers of that product will want to immediately follow Microsoft's guidance to patch their on-site systems. Although the scope of the attack is still being assessed, CISA warned that the impact could be widespread and recommended that any servers impacted by the exploit should be disconnected from the internet until they are patched. 'We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response. An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,' Sikorski advises. © Copyright 2025 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.
