What to know about a vulnerability being exploited on Microsoft SharePoint servers
NEW YORK--Microsoft has issued an emergency fix to close off a vulnerability in Microsoft's widely-used SharePoint software that hackers have exploited to carry out widespread attacks on businesses and at least some U.S. government agencies.
The company issued an alert to customers Saturday saying it was aware of the zero-day exploit being used to conduct attacks and that it was working to patch the issue. Microsoft updated its guidance Sunday with instructions to fix the problem for SharePoint Server 2019 and SharePoint Server Subscription Edition. Engineers were still working on a fix for the older SharePoint Server 2016 software.
'Anybody who's got a hosted SharePoint server has got a problem,' said Adam Meyers, senior vice president with CrowdStrike, a cybersecurity firm. 'It's a significant vulnerability.'
Companies and government agencies around the world use SharePoint for internal document management, data organization and collaboration.
A zero-day exploit is a cyberattack that takes advantage of a previously unknown security vulnerability. 'Zero-day' refers to the fact that the security engineers have had zero days to develop a fix for the vulnerability.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the exploit affecting SharePoint is 'a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations with on-premise SharePoint servers.'
Security researchers warn that the exploit, reportedly known as 'ToolShell,' is a serious one and can allow actors to fully access SharePoint file systems, including services connected to SharePoint, such as Teams and OneDrive.
Google's Threat Intelligence Group warned that the vulnerability may allow bad actors to 'bypass future patching.'
Eye Security said in its blog post that it scanned over 8,000 SharePoint servers worldwide and discovered that at least dozens of systems were compromised. The cybersecurity company said the attacks likely began on July 18.
Microsoft said the vulnerability affects only on-site SharePoint servers used within businesses or organizations and does not affect Microsoft's cloud-based SharePoint Online service.
But Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, warns that the exploit still leaves many potentially exposed to bad actors.
'While cloud environments remain unaffected, on-prem SharePoint deployments — particularly within government, schools, health care including hospitals, and large enterprise companies — are at immediate risk.'
The vulnerability targets SharePoint server software so customers of that product will want to immediately follow Microsoft's guidance to patch their on-site systems.
Although the scope of the attack is still being assessed, CISA warned that the impact could be widespread and recommended that any servers impacted by the exploit should be disconnected from the internet until they are patched.
'We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response. An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,' Sikorski advises.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Japan Today
13 hours ago
- Japan Today
Barcelona will play a preseason game in Japan after contractual dispute with promoter is resolved
FC Barcelona player Lamine Yamal poses with his new jersey after signing a contract extension with the soccer club in Barcelona, northern Spain, Wednesday, July 16, 2025. (AP Photo/Joan Monfort) soccer Barcelona will play a preseason game in Japan that it had previously said was canceled after resolving a contractual dispute with the promoter, the Spanish champion said Friday. Barcelona said that its team was traveling to Japan where it will play a friendly against Vissel Kobe on Sunday. The club said that it and the promoter have 'resolved all the issues that two days prior obliged Barcelona to cancel its participation' in the game. Barcelona has not named the promoter or given more detail about the dispute. After Japan, Barcelona also plans to visit South Korea to play FC Seoul on July 31 and Daegu FC on Aug. 4. Like other big clubs, Barcelona — which has struggled with large debts in recent years — uses the summer to play exhibition games abroad as a way to earn extra cash. © Copyright 2025 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.
The Mainichi
a day ago
- The Mainichi
Trump's order to block 'woke' AI in government encourages tech giants to censor their chatbots
(AP) -- Tech companies looking to sell their artificial intelligence technology to the federal government must now contend with a new regulatory hurdle: prove their chatbots aren't "woke." President Donald Trump's sweeping new plan to counter China in achieving "global dominance" in AI promises to cut regulations and cement American values into the AI tools increasingly used at work and home. But one of Trump's three AI executive orders signed Wednesday -- the one "preventing woke AI in the federal government" -- also mimics China's state-driven approach to mold the behavior of AI systems to fit its ruling party's core values. Several leading providers of the AI language models targeted by the order -- products like Google's Gemini, Microsoft's Copilot -- have so far been silent on Trump's anti-woke directive, which still faces a study period before it gets into official procurement rules. While the tech industry has largely welcomed Trump's broader AI plans, the anti-woke order forces the industry to leap into a culture war battle -- or try their best to quietly avoid it. "It will have massive influence in the industry right now," especially as tech companies "are already capitulating" to other Trump administration directives, said civil rights advocate Alejandra Montoya-Boyer, senior director of The Leadership Conference's Center for Civil Rights and Technology. The move also pushes the tech industry to abandon years of work to combat the pervasive forms of racial and gender bias that studies and real-world examples have shown to be baked into AI systems. "First off, there's no such thing as woke AI," she said. "There's AI technology that discriminates and then there's AI technology that actually works for all people." Molding the behaviors of AI large language models is challenging because of the way they're built. They've been trained on most of what's on the internet, reflecting the biases of all the people who've posted commentary, edited a Wikipedia entry or shared images online. "This will be extremely difficult for tech companies to comply with," said former Biden official Jim Secreto, who was deputy chief of staff to U.S. Secretary of Commerce Gina Raimondo, an architect of many of Biden's AI industry initiatives. "Large language models reflect the data they're trained on, including all the contradictions and biases in human language." Tech workers also have a say in how they're designed, from the global workforce of annotators who check their responses to the Silicon Valley engineers who craft the instructions for how they interact with people. Trump's order targets those "top-down" efforts at tech companies to incorporate what it calls the "destructive" ideology of diversity, equity and inclusion into AI models, including "concepts like critical race theory, transgenderism, unconscious bias, intersectionality, and systemic racism." For Secreto, the order resembles China's playbook in "using the power of the state to stamp out what it sees as disfavored viewpoints." The method is different, with China relying on direct regulation through its Cyberspace Administration, which audits AI models, approves them before they are deployed and requires them to filter out banned content such as the bloody Tiananmen Square crackdown on pro-democracy protests in 1989. Trump's order doesn't call for any such filters, relying on tech companies to instead show that their technology is ideologically neutral by disclosing some of the internal policies that guide the chatbots. "The Trump administration is taking a softer but still coercive route by using federal contracts as leverage," Secreto said. "That creates strong pressure for companies to self-censor in order to stay in the government's good graces and keep the money flowing." The order's call for "truth-seeking" AI echoes the language of the president's one-time ally and adviser Elon Musk, who frequently uses that phrase as the mission for the Grok chatbot made by his company xAI. But whether Grok or its rivals will be favored under the new policy remains to be seen. Despite a "rhetorically pointed" introduction laying out the Trump administration's problems with DEI, the actual language of the order's directives shouldn't be hard for tech companies to comply with, said Neil Chilson, a Republican former chief technologist for the Federal Trade Commission. "It doesn't even prohibit an ideological agenda," just that any intentional methods to guide the model be disclosed, said Chilson, who is now head of AI policy at the nonprofit Abundance Institute. "Which is pretty light touch, frankly." Chilson disputes comparisons to China's cruder modes of AI censorship. "There is nothing in this order that says that companies have to produce or cannot produce certain types of output," he said. "It says developers shall not intentionally encode partisan or ideological judgments. That's the exact opposite of the Chinese requirement." So far, tech companies that have praised Trump's broader AI plans haven't said much about the order. OpenAI on Thursday said it is awaiting more detailed guidance but believes its work to make ChatGPT objective already makes the technology consistent with what the order requires. Microsoft, a major supplier of email, cloud computing and other online services to the federal government, declined to comment Thursday. Musk's xAI, through spokesperson Katie Miller, a former Trump official, pointed to a company comment praising Trump's AI announcements as a "positive step" but didn't respond to a follow-up question about how Grok would be affected. Anthropic, Google, Meta, and Palantir didn't immediately respond to emailed requests for comment Thursday. AI tools are already widely used in the federal government, according to an inventory created at the end of Biden's term. In just one agency, U.S. Health and Human Services, the inventory found more than 270 use cases, including the use of commercial generative AI platforms such as ChatGPT and Google Gemini for internal agency support to summarize the key points of a lengthy report. The ideas behind the order have bubbled up for more than a year on the podcasts and social media feeds of Sacks and other influential Silicon Valley venture capitalists, many of whom endorsed Trump's presidential campaign last year. Much of their ire centered on Google's February 2024 release of an AI image-generating tool that produced historically inaccurate images before the tech giant took down and fixed the product. Google later explained that the errors -- including one user's request for American Founding Fathers that generated portraits of Black, Asian and Native American men -- was the result of an overcompensation for technology that, left to its own devices, was prone to favoring lighter-skinned people because of pervasive bias in the systems. Trump allies alleged that Google engineers were hard-coding their own social agenda into the product, and made it a priority to do something about it. "It's 100% intentional," said prominent venture capitalist and Trump adviser Marc Andreessen on a podcast in December. "That's how you get Black George Washington at Google. There's override in the system that basically says, literally, 'Everybody has to be Black.' Boom. There's squads, large sets of people, at these companies who determine these policies and write them down and encode them into these systems." Sacks credited a conservative strategist for helping to draft the order. "When they asked me how to define 'woke,' I said there's only one person to call: Chris Rufo. And now it's law: the federal government will not be buying WokeAI," Sacks wrote on X.
Yomiuri Shimbun
2 days ago
- Yomiuri Shimbun
U.S. Nuclear and Health Agencies Hit in Microsoft Sharepoint Breach
The National Institutes of Health and the federal agency responsible for securing the nation's nuclear weapons were among the victims in a global breach of Microsoft server software over the weekend, according to officials at the agencies. The incident at NIH, which has not been previously reported, involved at least one Microsoft SharePoint server system, said Andrew Nixon, a spokesman for the Department of Health and Human Services, and its scope and severity are being investigated. The compromise at the National Nuclear Security Administration, an arm of the Energy Department, did not affect any classified information, said a person familiar with the matter who, like others, spoke on the condition of anonymity to discuss nonpublic matters. It was first reported by Bloomberg News. The NNSA helps keep 5,000 nuclear warheads secure and ready, guards against radiation leaks, and ensures that weapons do not mistakenly detonate. An NNSA spokesperson said attacks using a 'zero-day vulnerability' had begun affecting the Energy Department, including the NNSA, on Friday. 'The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems,' the spokesperson said. Only versions of SharePoint that are hosted by the customer, not those in the cloud, are vulnerable. The spokesperson said only 'a very small number of systems' were affected, adding: 'NNSA is taking the appropriate action to mitigate risk and transition to other offerings as appropriate.' An internal email written by an NIH information technology official and viewed by The Washington Post said the agency's cybersecurity team was working to remediate the SharePoint attack, which was part of a global campaign that targeted government agencies, businesses, universities and other organizations in the United States, Europe and Asia. Hackers connected to the Chinese government were behind at least some of the attacks in the past few days, defenders working on the intrusions said in interviews. Security firms helping affected customers said that many hacking groups are now trying to exploit the SharePoint flaw and that blueprints for attack methods have been circulating, including on public sites. The operator of most of California's electric grid was also targeted, according to a person familiar with the matter. That nonprofit, the California Independent System Operator, did not confirm nor deny a breach, but said it 'took immediate and decisive actions to assess and contain the threat.' 'There has been no impact to market operations or grid reliability due to this incident,' it said. 'All systems remain stable and fully operational.' The NIH email said eight servers were disconnected from the internet and isolated. One was compromised, and two showed evidence of attempted breaches that were blocked. The servers taken offline were used to host NIH websites, including websites for the National Institute of Diabetes and Digestive and Kidney Diseases and the Fogarty International Center, which supports global health research and trains scientists. The National Institutes of Health is the country's biggest funder of biomedical research, supporting studies that delve into a wide range of basic research and human health conditions. 'We are actively investigating the scope and severity of the incident, while taking all necessary steps to protect sensitive information and strengthen system security with our partners moving forward,' DHS spokesman Nixon said. He added that while one server was impacted, others were isolated as a precaution. 'We have no indication that any information was exfiltrated as a result of this SharePoint vulnerability,' he added. The FBI and other agencies are investigating the compromise of Microsoft's SharePoint collaboration software. The company issued the last of three patches for affected versions of its software on Monday. A spokeswoman for the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, which was alerted to the issue on Friday by a cybersecurity firm, warned Sunday that hackers were exploiting a software flaw that could allow them full access to information being exchanged on the SharePoint systems. That information could include file systems and login and password data. Because SharePoint is often used in tandem with other Microsoft programs and databases. Another major concern is that hackers left back doors in some targets that will allow them to return. The Chinese Embassy did not address the country's alleged role in the hacking wave, but it questioned the strength of the evidence in past accusations. 'Cyberspace is characterized by strong virtuality, difficulty in tracing origins, and diverse actors, making the tracing of cyberattacks a complex technical issue,' embassy spokesman Liu Pengyu said in an email. Treasury Secretary Scott Bessent told Bloomberg Television on Wednesday that the SharePoint hacks would be discussed during trade talks with Chinese officials in Stockholm next week. Alex Stamos, chief information security officer at SentinelOne, said that SharePoint systems hosted on a customer's premises were a natural weak spot and that transitioning to the cloud would be much safer. 'Nobody should be running Microsoft on-premise products anymore,' he said. The wave of attacks comes at a difficult time for both Microsoft and CISA, the lead U.S. agency for helping to protect civilian entities from cyberattacks. Microsoft had been alerted to a security weakness in SharePoint recently and issued a fix. But hackers discovered that the fix was inadequate and figured out a way around it. The company has been widely criticized over the past few years for other security mistakes in its core products and internal architecture, including one that allowed Chinese hackers to obtain a digital key that allowed them to validate customers, leading to email breaches at the departments of State and Commerce. At the same time, Microsoft's add-on security products have become an increasingly important source of its revenue as it spends more on artificial intelligence. 'Government agencies have become dependent on a company that not only doesn't care about security, but is making billions of dollars selling premium cybersecurity services to address the flaws in its products,' said Sen. Ron Wyden (D-Oregon). Microsoft did not respond to a request for comment. CISA, meanwhile, is reeling from budget cuts and high turnover. In March, DHS cut $10 million in funding to the nonprofit Center for Internet Security for routing warnings of cyberattacks to 18,000 state and local entities. The subsequent job cuts slowed the notifications of about 1,000 members exposed to the weekend hacking campaign, the center said. The center's chief executive, John Gilligan, said the administration's budget request for the coming year had no money for CIS, leaving it scrambling to get states to pay membership fees instead.
