What we know so far about the critical SharePoint vulnerability and Microsoft’s emergency fix

New York: Microsoft has released an urgent security fix to address a critical vulnerability in its widely-used SharePoint software that hackers have exploited in attacks targeting businesses and some US government agencies.
The flaw, described as a zero-day exploit, was first acknowledged by Microsoft on Saturday. By Sunday, the company provided instructions to patch the issue for SharePoint Server 2019 and SharePoint Server Subscription Edition. A fix for the older SharePoint Server 2016 is still in progress.
“Anybody who’s got a hosted SharePoint server has got a problem,” said Adam Meyers, senior vice president with CrowdStrike, a cybersecurity firm. “It’s a significant vulnerability.”
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the exploit affecting SharePoint is "a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations with on-premise SharePoint servers.”
Security researchers warn that the exploit, reportedly known as “ToolShell,” is a serious one and can allow actors to fully access SharePoint file systems, including services connected to SharePoint, such as Teams and OneDrive.
SharePoint is used globally by businesses and government bodies for managing documents and collaboration. Microsoft clarified that the cloud-based SharePoint Online service is unaffected; only on-premise (on-site) servers are vulnerable.
Google’s Threat Intelligence Group warned that the flaw may allow bad actors to bypass future patches, raising concerns about its long-term impact. Meanwhile, cybersecurity firm Eye Security reported that attacks likely began on July 18 and that dozens of SharePoint servers have already been compromised.
Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, warns that the exploit still leaves many potentially exposed to bad actors.
“While cloud environments remain unaffected, on-prem SharePoint deployments — particularly within government, schools, health care including hospitals, and large enterprise companies — are at immediate risk."
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also urged affected organizations to disconnect vulnerable SharePoint servers from the internet until they are patched. CISA recommends applying available fixes.
"Rotate all cryptographic material, and engage professional incident response. An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,” Sikorski advises.
AP inputs