Microsoft SharePoint Hack: What to Know About the New Zero-Day Vulnerability Affecting Servers Worldwide

A serious security flaw in Microsoft SharePoint is being used by hackers to attack businesses and some U.S. government agencies. Microsoft has issued a warning and is urging anyone using certain versions of SharePoint to patch their systems immediately. The issue affects on-site servers — not cloud-based ones — and could lead to major data breaches if not fixed quickly.

What Is Happening?

Microsoft SharePoint, a platform widely used by companies and organizations for managing files and team collaboration, is currently facing a critical cybersecurity issue. Over the weekend, Microsoft confirmed that hackers are actively exploiting a “zero-day vulnerability” in its SharePoint Server software.

A zero-day vulnerability is a previously unknown flaw in software that hackers can use before a fix is available — meaning developers have had “zero days” to patch it. This makes it especially dangerous.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says the current vulnerability is a variation of an existing issue known as CVE-2025-49706. The exploit allows attackers to gain full access to the SharePoint system, including connected services like Microsoft Teams and OneDrive.

Who Is Affected?

Anyone running Microsoft SharePoint Server software on their own servers — often called “on-premise” servers — is at risk. That includes:

• Government offices
• Schools and universities
• Healthcare networks
• Private businesses of all sizes

It does not affect SharePoint Online, Microsoft’s cloud-based version of the software.

Cybersecurity firm Eye Security said it scanned over 8,000 SharePoint servers around the world and found that dozens had already been compromised. They believe the attacks began on July 18.

What Is the ToolShell Exploit?

Security researchers believe hackers are using a tool known as ToolShell to carry out these attacks. According to Google’s Threat Intelligence Group, this exploit may allow hackers to maintain access even after patches are applied — a big concern for long-term data security.

Adam Meyers, a senior vice president at cybersecurity firm CrowdStrike, said,

“Anybody who’s got a hosted SharePoint server has got a problem. It’s a significant vulnerability.”

The concern is not just about immediate damage. If hackers can maintain access even after companies think they’ve fixed the issue, it could lead to long-lasting breaches and data theft.

What Has Microsoft Done?

Microsoft issued an emergency alert on Saturday, July 20, confirming the vulnerability and saying a fix was on the way. By Sunday, the company had released official guidance on how to patch:

• SharePoint Server 2019
• SharePoint Server Subscription Edition

However, Microsoft is still working on a fix for older software — specifically SharePoint Server 2016.

If your organization uses one of these versions, it’s important to apply Microsoft’s patch immediately or follow any temporary workarounds they suggest.

What Should You Do Now?

If your business or agency is running SharePoint Server software on-premise, here’s what experts recommend:

• Patch immediately. Follow Microsoft’s updated guidance to install the security fix.
• Take affected servers offline. Both Microsoft and CISA advise disconnecting vulnerable servers from the internet until patches are applied.
• Check for signs of compromise. Review system logs, audit access, and monitor for unusual activity.
• Stay updated. Monitor Microsoft’s support page and cybersecurity alerts for the latest developments.

For organizations using SharePoint Online, there’s currently no need to take action — the cloud-based system is not affected by this exploit.

Why This Matters

SharePoint is a core tool for thousands of organizations to manage internal documents and team communications. A security flaw that gives hackers full access to those systems can lead to:

• Data breaches
• Ransomware attacks
• Leaks of confidential files
• Disruption to internal operations

Because many government agencies and critical services (like healthcare and education) rely on SharePoint, this vulnerability could have wide-reaching effects.

Final Thoughts

This incident is a reminder of the risks involved with running on-premise server software. Unlike cloud-based systems, on-site servers require constant monitoring and manual patching to stay secure.

If your organization hasn’t reviewed its SharePoint setup in a while, now is the time.

The situation is still unfolding, and Microsoft continues to release updates. Make sure your IT teams are staying informed and acting quickly to protect your systems from potential damage.