Microsoft Issues Alert After Critical SharePoint Server Attacks

Newsweek

21-07-2025

Based on facts, either observed and verified firsthand by the reporter, or reported and verified from knowledgeable sources.
Newsweek AI is in beta. Translations may contain inaccuracies—please refer to the original content.
Microsoft has issued an urgent security alert warning of "active attacks" targeting SharePoint servers used by government agencies and businesses worldwide.
The attacks, discovered over the weekend, exploit a previously unknown vulnerability in the document-sharing software, prompting immediate action from both Microsoft and federal investigators.
The Federal Bureau of Investigations (FBI) told Newsweek on Sunday that it is aware of the incidents and working with federal and private-sector partners to address the threat. The Washington Post first reported the hacks, citing unidentified actors who exploited the flaw to target U.S. and international agencies and businesses over the past few days.
Newsweek reached out to Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) on Sunday via email for comment.
Why It Matters
This zero-day attack represents a significant cybersecurity threat to organizations relying on SharePoint for internal document management and collaboration.
The vulnerability affects government agencies, schools, healthcare systems including hospitals, and large enterprise companies, with attackers bypassing multi-factor authentication and single sign-on protections to gain privileged access.
What To Know
The vulnerability affects only on-premises SharePoint servers used within organizations, not Microsoft's cloud-based SharePoint Online service.
Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, told Newsweek in an email statement that "attackers are bypassing identity controls, including MFA and SSO, to gain privileged access. Once inside, they're exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys."
According to Sikorski, the attackers have already established footholds in compromised systems, making patching alone insufficient to fully remove the threat. The compromise extends beyond SharePoint due to its deep integration with Microsoft's platform, including Office, Teams, OneDrive and Outlook. "What makes this especially concerning is SharePoint's deep integration with Microsoft's platform," Sikorski said. "A compromise doesn't stay contained—it opens the door to the entire network."
Microsoft has released a security update for SharePoint Subscription Edition and is developing patches for 2016 and 2019 versions. The company recommends organizations that cannot immediately apply protective measures should disconnect their servers from the internet until updates become available.
FILE - A Microsoft sign and logo are pictured at the company's headquarters, Friday, April 4, 2025, in Redmond, Wash.
FILE - A Microsoft sign and logo are pictured at the company's headquarters, Friday, April 4, 2025, in Redmond, Wash.
(AP Photo/Jason Redmond, File
What People Are Saying
Microsoft Security Team in a statement: "We recommend security updates that customers should apply immediately."
Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, told Newsweek: "If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point. This is a high-severity, high-urgency threat. We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response."
The Cybersecurity and Infrastructure Security Agency said on Sunday: "CISA is aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorized access to on-premise SharePoint servers. While the scope and impact continue to be assessed, the new Common Vulnerabilities and Exposures (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations. This exploitation activity, publicly reported as "ToolShell," provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network."
The FBI told Newsweek in an email response that they are: "Aware of the attacks and working closely with federal and private-sector partners," though they declined to provide additional operational details.
What Happens Next
Organizations using affected SharePoint versions face immediate decisions about disconnecting servers from the internet until patches become available.
Palo Alto Networks is actively notifying affected customers and working closely with Microsoft's Security Response Center to provide updated threat intelligence. Microsoft continues developing patches for older SharePoint versions, with timeline details yet to be announced.