Cyberattacks exploiting zero-day vulnerabilities in on-premises SharePoint Servers have so far led to ‘widespread impact across hundreds of organizations,’ according to a researcher at cybersecurity vendor watchTowr.
The wave of cyberattacks exploiting zero-day vulnerabilities in on-premises Microsoft SharePoint Servers poses a massive risk to organizations that should be given the highest priority, according to a researcher at cybersecurity vendor watchTowr.
The “ToolShell” cyberattack campaign, which is reportedly ongoing, involves exploitation of a pair of vulnerabilities (tracked at CVE-2025-53770 and CVE-2025-53771) that impact on-premises Microsoft SharePoint Servers. Microsoft has made patches available for some of the affected versions of SharePoint Server, but not all impacted versions have available patches as of this writing.
[Related: Five Things To Know On Microsoft SharePoint Server ‘ToolShell’ Attacks]
The attacks quickly became “widespread” in part because the flaws are “trivial” to exploit and entail bypassing authentication, according to Ryan Dewhurst, head of proactive threat intelligence at watchTowr. In addition, the campaign has been targeting “critical software used by critical organizations and industries,” he said in an email statement provided to CRN.
Due to all these factors, “we’re fairly certain it’s for once acceptable to call this a close-to-worst-case scenario,” Dewhurst said in the statement Monday. “We spent the weekend trying to alert organizations to their exposure, and in some cases, were forced to watch them get compromised in real-time.”
So far, researchers at watchTowr have seen “widespread impact across hundreds of organizations—including those that many would consider ‘incredibly sensitive,’” he said in the email statement. Those include government organizations and educational institutions, as well as organizations that manage critical infrastructure.
Attacks have been underway since at least July 17, with the U.S., Germany, France and Australia “currently bearing the brunt of exploitation activity,” Dewhurst said in the statement.
“The sad reality is that we’ll see this vulnerability exploited long into the future as organizations fail to patch or as attackers return to regain access after stealing cryptographic keys as has been seen heavily in activity this weekend,” he said.
The attacks are believed to have compromised victims including U.S. government agencies as well as state agencies, universities and corporations, according to a report from T he Washington Post.
In response to an email from CRN seeking further comment Monday, Microsoft referred to a customer guidance advisory posted online.
Microsoft said in the advisory that it “is aware of active attacks targeting on-premises SharePoint Server customers” through exploitation of the zero-day vulnerabilities tracked at CVE-2025-53770 and CVE-2025-53771.
Microsoft has released emergency patches to address the vulnerabilities in the SharePoint Server Subscription Edition and SharePoint Server 2019.
“Customers should apply these updates immediately to ensure they’re protected,” Microsoft said in its customer guidance advisory.
However, as of this writing, patches were not yet available for Microsoft SharePoint Server 2016. The company said in the advisory that it is working on the SharePoint Server 2016 fixes.
The flaws only affect on-premises SharePoint Servers and do not impact SharePoint Online in Microsoft 365, Microsoft noted.
Organizations that have had on-premises SharePoint Servers exposed to the internet should proceed as if their systems are compromised, according to threat experts.
“If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point,” said Michael Sikorski, CTO and head of threat intelligence at Palo Alto Networks’ Unit 42, in an email statement provided to CRN. “Patching alone is insufficient to fully evict the threat.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory that exploitation of the remote code execution vulnerability tracked at CVE-2025-53770 has been “enabling unauthorized access to on-premise SharePoint servers” for threat actors.
The exploitation activity “provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network,” CISA said in the advisory.
