Attackers are actively exploiting a critical zero-day vulnerability affecting on-premises Microsoft SharePoint servers, prompting industry heavyweights to sound the alarm over the weekend. 

Researchers discovered the active, ongoing attack spree Friday afternoon and warnings were issued en masse by Saturday evening. Microsoft released urgent guidance Saturday, advising on-premises SharePoint customers to turn on and properly configure Antimalware Scan Interface in SharePoint or disconnect servers from the internet until an emergency patch is available. The company released patches for two of the three versions of SharePoint affected by the defect Sunday, but has not issued a patch for SharePoint Server 2016 as of Monday morning. 

Researchers warn that attackers have already used the exploit dubbed “ToolShell” to intrude hundreds of organizations globally, including private companies and government agencies. The Cybersecurity and Infrastructure Security Agency issued an alert about active attacks and added the defect to its known exploited vulnerabilities catalog Saturday.

“This is a high-severity, high-urgency threat,” Michael Sikorski, chief technology officer and head of threat intelligence at Palo Alto Networks Unit 42, said in a statement. 

Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said hundreds of organizations across government, education and critical infrastructure have been impacted across the United States, Germany, France and Australia. “This is going global, fast,” he said, adding that initial scans for the exploit started Wednesday, and exploitation was in full swing through Thursday and Friday.

The critical remote-code execution vulnerability, CVE-2025-53770, has an initial CVSS score of 9.8 and allows attackers to intrude unauthenticated systems with full access to files, internal configurations and code execution. The defect is a variant of CVE-2025-49706, which was patched in Microsoft’s security update earlier this month. 

The new widely exploited defect “reflects a bypass around Microsoft’s original patch” for CVE-2025-49706, Dewhurst said. Microsoft confirmed attacks are targeting on-premises SharePoint server customers by exploiting vulnerabilities partially addressed in the company’s July security update.

“Attackers are bypassing identity controls, including multi-factor authentication and single sign-on, to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys,” Sikorski added. 

“The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold. If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point,” he said. “Patching alone is insufficient to fully evict the threat.”

Palo Alto Networks Unit 42 said attackers are targeting organizations worldwide by dropping malicious ASPX payloads via PowerShell and stealing SharePoint servers’ internal cryptographic machine keys to maintain persistent access. 

“The theft of the MachineKey is critical because it allows attackers persistent, unauthenticated access that can bypass future patching,” Austin Larsen, principal threat analyst at Google Threat Intelligence Group, said in a LinkedIn post Saturday. “Organizations with vulnerable, public-facing SharePoint instances must urgently investigate for compromise and be prepared to rotate these keys to fully remediate the threat.”

Researchers at Eye Security said they’ve observed at least two waves of attacks as part of the mass exploitation campaign, and upon scanning more than 8,000 public-facing SharePoint servers determined the exploit is systemic. 

“Within hours, we identified more than dozens of separate servers compromised using the exact same payload at the same filepath. In each case, the attacker had planted a shell that leaked sensitive key material, enabling complete remote access,” Eye Security said in a blog post Saturday.

Attribution efforts are ongoing, but early signs point to nation-state attackers focused on persistence, Dewhurst said. “As always, when there is mass attention to a vulnerability, crime gangs and other threat actor groups will follow, which is what we’re seeing now.”

Shadowserver, which is working with Eye Security and watchTowr to notify impacted organizations, said its scans found about 9,300 SharePoint servers exposed to the internet daily.

“CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action. Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations,” Chris Butera, acting executive assistant director at CISA, said in a statement. “CISA encourages all organizations with on-premise Microsoft Sharepoint servers to take immediate recommended action.”

Microsoft declined to answer questions, as its top security executives issued updates on social media throughout the weekend, noting that the company is working urgently to release patches for all impacted versions of SharePoint. The cloud-based version of SharePoint in Microsoft 365 is not impacted.

“We’re fairly certain it’s for once acceptable to call this a close-to-worst-case scenario. We spent the weekend trying to alert organizations to their exposure and, in some cases, were forced to watch them get compromised in real-time,” Dewhurst said.

“The sad reality is that we’ll see this vulnerability exploited long into the future as organizations fail to patch or as attackers return to regain access after stealing cryptographic keys, as has been seen heavily in activity this weekend,” he said.

Sikorski noted that SharePoint’s deep integration with Microsoft’s platform, which contains all the information valuable to an attacker, makes this especially concerning. “A compromise doesn’t stay contained — it opens the door to the entire network,” he said.

“An immediate, Band-Aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,” Sikorski added. “A false sense of security could result in prolonged exposure and widespread compromise.”

The post Mass attack spree hits Microsoft SharePoint zero-day defect appeared first on CyberScoop.

On Sunday, July 20, Microsoft Corp. issued an emergency security update for a vulnerability in SharePoint Server that is actively being exploited to compromise vulnerable organizations. The patch comes amid reports that malicious hackers have used the SharePoint flaw to breach U.S. federal and state agencies, universities, and energy companies.

In an advisory about the SharePoint security hole, a.k.a. CVE-2025-53770, Microsoft said it is aware of active attacks targeting on-premises SharePoint Server customers and exploiting vulnerabilities that were only partially addressed by the July 8, 2025 security update.

The Cybersecurity & Infrastructure Security Agency (CISA) concurred, saying CVE-2025-53770 is a variant on a flaw Microsoft patched earlier this month (CVE-2025-49706). Microsoft notes the weakness applies only to SharePoint Servers that organizations use in-house, and that SharePoint Online and Microsoft 365 are not affected.

The Washington Post reported on Sunday that the U.S. government and partners in Canada and Australia are investigating the hack of SharePoint servers, which provide a platform for sharing and managing documents. The Post reports at least two U.S. federal agencies have seen their servers breached via the SharePoint vulnerability.

According to CISA, attackers exploiting the newly-discovered flaw are retrofitting compromised servers with a backdoor dubbed “ToolShell” that provides unauthenticated, remote access to systems. CISA said ToolShell enables attackers to fully access SharePoint content — including file systems and internal configurations — and execute code over the network.

Researchers at Eye Security said they first spotted large-scale exploitation of the SharePoint flaw on July 18, 2025, and soon found dozens of separate servers compromised by the bug and infected with ToolShell. In a blog post, the researchers said the attacks sought to steal SharePoint server ASP.NET machine keys.

“These keys can be used to facilitate further attacks, even at a later date,” Eye Security warned. “It is critical that affected servers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers. Patching alone is not enough. We strongly advise defenders not to wait for a vendor fix before taking action. This threat is already operational and spreading rapidly.”

Microsoft’s advisory says the company has issued updates for SharePoint Server Subscription Edition and SharePoint Server 2019, but that it is still working on updates for supported versions of SharePoint 2019 and SharePoint 2016.

CISA advises vulnerable organizations to enable the anti-malware scan interface (AMSI) in SharePoint, to deploy Microsoft Defender AV on all SharePoint servers, and to disconnect affected products from the public-facing Internet until an official patch is available.

The security firm Rapid7 notes that Microsoft has described CVE-2025-53770 as related to a previous vulnerability — CVE-2025-49704, patched earlier this month — and that CVE-2025-49704 was part of an exploit chain demonstrated at the Pwn2Own hacking competition in May 2025. That exploit chain invoked a second SharePoint weakness — CVE-2025-49706 — which Microsoft unsuccessfully tried to fix in this month’s Patch Tuesday.

Microsoft also has issued a patch for a related SharePoint vulnerability — CVE-2025-53771; Microsoft says there are no signs of active attacks on CVE-2025-53771, and that the patch is to provide more robust protections than the update for CVE-2025-49706.

This is a rapidly developing story. Any updates will be noted with timestamps.