The Desk appreciates the support of readers who purchase products or services through links on our website. Learn more...

Microsoft warns of security issue affecting SharePoint servers

The SharePoint software is used by thousands of government agencies, universities and private businesses around the world; at least one telecom has been targeted by hackers.

Photo of author
By:
Matthew Keys
»

mkeys@thedesk.net

Share:
(Stock image via Pixabay)

Microsoft is warning businesses about a previously-unknown security issue that has been exploited by cyber criminals against businesses and government agencies around the world for the past few weeks.

The issue involves SharePoint, software that is widely used to run and manage servers operating Microsoft Windows. The so-called “zero-day” exploit — a term referring to a security flaw unknown to the software maker and therefore unpatched — allowed hackers to gain full access to on-premise SharePoint file systems, with potential reach into connected services such as Outlook, Teams, and OneDrive. The breach does not impact Microsoft’s cloud-based services like Microsoft 365, officials said.

Microsoft is referring to the bug as “ToolShell.” The glitch and the subsequent hacks are being investigated by many law enforcement groups around the world, including the FBI in the United States and domestic equivalents in Canada and Australia.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said the exploit is a variant of CVE-2025-49706 and “poses a risk to organizations with on-premise SharePoint servers.”

Microsoft confirmed the issue in a customer advisory on Saturday and began rolling out an emergency patch Sunday night for SharePoint Server 2019 and SharePoint Server Subscription Edition. A fix for SharePoint Server 2016 remains in development. In the interim, Microsoft had previously urged customers to disconnect vulnerable servers from the internet or implement manual mitigations.

“Anybody who’s got a hosted SharePoint server has got a problem,” said Adam Meyers, senior vice president at cybersecurity firm CrowdStrike. “It’s a significant vulnerability.”

The scope of the attack remains under investigation, but researchers say the impact is wide-ranging. Netherlands-based security firm Eye Security said it has tracked over 50 intrusions, including breaches at European government agencies, a major energy company in a large U.S. state, and an Asian telecommunications firm. One research firm reportedly identified compromised servers in China and at a state legislature in the eastern United States.

At least two U.S. federal agencies have had their SharePoint systems breached, according to sources familiar with the matter. Victim confidentiality agreements have prevented public identification of affected entities.

The FBI said in a statement that it is “aware of the matter” and is working “closely with our federal government and private sector partners.”

Researchers warned that the attack is particularly dangerous because hackers appear to have obtained authentication keys that could allow them to regain access even after a patch is installed. “So pushing out a patch on Monday or Tuesday doesn’t help anybody who’s been compromised in the past 72 hours,” said one security expert, speaking anonymously due to an ongoing federal investigation.

The incident is the latest cybersecurity setback for Microsoft. A 2023 report faulted the company for lapses that enabled a Chinese state-backed hack targeting U.S. government emails, including messages belonging to then-Commerce Secretary Gina Raimondo.

Never miss a story

Get free breaking news alerts and twice-weekly digests delivered to your inbox.

We do not share your e-mail address with third parties; you can unsubscribe at any time.

Microsoft
Photo of author

About the Author:

Matthew Keys

Matthew Keys is the award-winning founder and editor of TheDesk.net, an authoritative voice on broadcast and streaming TV, media and tech. With over ten years of experience, he's a recognized expert in broadcast, streaming, and digital media, with work featured in publications such as StreamTV Insider and Digital Content Next, and past roles at Thomson Reuters and Disney-ABC Television Group.
TheDesk.net is free to read — please help keep it that way.We rely on advertising revenue to support our original journalism and analysis. Please disable your ad-blocking technology to continue enjoying our content. Read more...Learn how to disable your ad blocker on: Chrome | Firefox | Safari | Microsoft Edge | Opera | AdBlock pluginIf you think this is an error, please contact us.