SharePoint is used by businesses and governmental organizations worldwide for internal document management, data organizing, and collaboration.
What is a zero-day exploit?
A cyberattack that exploits an undiscovered security flaw is known as a zero-day exploit. “Zero-day” describes a vulnerability when the security engineers have zero days to create a solution.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) states that the SharePoint attack is “a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations with on-premise SharePoint servers.”
According to security researchers, the exploit, which goes by the name ToolShell, is a severe one that gives actors complete access to SharePoint file systems and services like Teams and OneDrive.
According to Google’s Threat Intelligence Group, the flaw might let malicious actors “bypass future patching.”
How widespread is the impact?
According to a blog post by Eye Security, it analyzed more than 8,000 SharePoint servers globally and found that at least hundreds of them were infected. According to the cybersecurity firm, the attacks most likely started on July 18.
According to Microsoft, the vulnerability primarily impacts SharePoint servers that are located on-site and utilized by companies or organizations; it has no effect on the company’s cloud-based SharePoint Online service.
However, Palo Alto Networks’ CTO and Head of Threat Intelligence for Unit 42, Michael Sikorski, cautions that the attack still exposes a lot of people to possible threats.
On-premise SharePoint deployments, especially those in government, education, healthcare, including hospitals, and large enterprise businesses, are immediately at risk, while cloud settings are unaffected.
What do you do now?
Because the vulnerability affects SharePoint server software, users of that product should immediately repair their on-site systems by following Microsoft’s instructions.
CISA cautioned that the impact could be extensive and advised that any servers affected by the exploit be taken offline until they are patched, even if the attack’s breadth is still being determined.
We strongly advise companies using on-premises SharePoint to act right away, rotate any cryptographic content, implement all pertinent updates as they become available, and use expert incident response. Sikorski suggests unplugging your Microsoft SharePoint from the internet until a patch is available as a temporary solution.
