Media reports have pointed to global cyberattacks exploiting vulnerabilities in on-premises SharePoint Servers, which are believed to have compromised victims including the U.S. government.
Microsoft confirmed “active” cyberattacks exploiting vulnerabilities in on-premises SharePoint Servers and released emergency patches for several versions of the systems.
The worldwide attacks are believed have compromised victims including the U.S. government as well as state agencies, universities and corporations, according to a report from the Washington Post.
[Related: Microsoft Patches ‘Wormable’ Critical Flaw, Discloses ‘Whopping’ Number Of Bug Fixes]
CRN has reached out to Microsoft for comment.
In a customer guidance advisory posted online, Microsoft said it “is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities,” which are tracked at CVE-2025-53770 and CVE-2025-53771.
The flaws only affect on-premises SharePoint Servers and do not impact SharePoint Online in Microsoft 365, Microsoft noted.
The tech giant released emergency patches to address the vulnerabilities in the Microsoft SharePoint Server Subscription Edition and Microsoft SharePoint Server 2019.
However, as of this writing, patches were not yet available for Microsoft SharePoint Server 2016. The company said in the advisory that it is working on the SharePoint Server 2016 fixes.
On Sunday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the remote code execution vulnerability tracked at CVE-2025-53770 — and dubbed “ToolShell” — has seen exploitation.
“CISA is aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorized access to on-premise SharePoint servers,” the agency said in an advisory.
“While the scope and impact continue to be assessed, the new Common Vulnerabilities and Exposures (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations,” CISA said. “This exploitation activity, publicly reported as ‘ToolShell,’ provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.”
In an email statement provided to CRN, Michael Sikorski, CTO and head of threat intelligence at Palo Alto Networks’ Unit 42, described the attacks as a “high-impact, ongoing threat campaign.”
“If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point. Patching alone is insufficient to fully evict the threat,” Sikorski said in the statement.
Attackers are “bypassing identity controls, including MFA and SSO, to gain privileged access,” he said in the email statement. “Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors and stealing cryptographic keys. The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold.”
Additionally, “what makes this especially concerning is SharePoint’s deep integration with Microsoft’s platform, including their services like Office, Teams, OneDrive and Outlook, which has all the information valuable to an attacker,” Sikorski said in the statement.
Ultimately, “this is a high-severity, high-urgency threat,” he said in the email statement. “We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response. An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available. A false sense of security could result in prolonged exposure and widespread compromise.”
