Microsoft confirms crisis as SharePoint servers face mass attacks
- Cybersecurity experts identified a mass exploitation of a critical vulnerability in Microsoft SharePoint Server.
- Microsoft confirmed that active attacks are targeting on-premises servers without a patch available.
- Immediate measures and collaborative efforts are underway to address the cybersecurity threat.
In July 2025, a significant cybersecurity threat emerged targeting on-premises Microsoft SharePoint servers globally, particularly affecting U.S. government agencies and critical infrastructure. Security experts identified exploitation of a vulnerability known as CVE-2025-53770, also referred to as ToolShell, which allows unauthorized access enabling attackers to execute code remotely without requiring authentication. The Cybersecurity and Infrastructure Security Agency (CISA) reported awareness of the ongoing attacks, prompting immediate action across various sectors. Microsoft acknowledged the gravity of these threats and noted that an emergency patch was under development. The situation escalated when on July 19, 2025, researchers confirmed that these exploitations likely began a day earlier, with dozens of servers having already been compromised. Affected organizations spanned multiple regions, including various U.S. federal, state, and local agencies, adding pressure on cybersecurity teams to react swiftly. This exploit's widespread impact raised concerns about potential data theft and unauthorized access to critical systems worldwide. The vulnerability posed risks not only to government entities but also affected educational institutions and private businesses that utilized SharePoint Server. Furthermore, the flaw allowed attackers to move laterally across networks and access internal configurations and SharePoint content effortlessly. Microsoft issued alerts and mitigation advice, recommending that users apply specific security updates and, if possible, disconnect their servers from the internet until the patch became available. They acknowledged that SharePoint Online in Microsoft 365 remained secure and indicated that the exploit only endangered on-premises installations. The exploit's sophistication highlighted critical weaknesses in legacy systems and security assumptions held by organizations. Experts emphasized a security policy reassessment, advocating for stronger perimeter defenses and multi-factor authentication strategies. The urgency surrounding the vulnerability prompted experts across the cybersecurity landscape and government officials to collaborate in identifying and addressing affected entities. As investigations continued, Microsoft assured stakeholders of their commitment to resolving and preventing future exploitations, reinforcing the importance of proactive security measures in today’s threat landscape.