Mass attack spree hits Microsoft SharePoint zero-day defect

Attackers are actively exploiting a critical zero-day vulnerability affecting on-premises Microsoft SharePoint servers, prompting industry heavyweights to sound the alarm over the weekend. 

Researchers discovered the active, ongoing attack spree Friday afternoon and warnings were issued en masse by Saturday evening. Microsoft released urgent guidance Saturday, advising on-premises SharePoint customers to turn on and properly configure Antimalware Scan Interface in SharePoint or disconnect servers from the internet until an emergency patch is available. The company released patches for two of the three versions of SharePoint affected by the defect Sunday, but has not issued a patch for SharePoint Server 2016 as of Monday morning. 

Researchers warn that attackers have already used the exploit dubbed “ToolShell” to intrude hundreds of organizations globally, including private companies and government agencies. The Cybersecurity and Infrastructure Security Agency issued an alert about active attacks and added the defect to its known exploited vulnerabilities catalog Saturday.

“This is a high-severity, high-urgency threat,” Michael Sikorski, chief technology officer and head of threat intelligence at Palo Alto Networks Unit 42, said in a statement. 

Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said hundreds of organizations across government, education and critical infrastructure have been impacted across the United States, Germany, France and Australia. “This is going global, fast,” he said, adding that initial scans for the exploit started Wednesday, and exploitation was in full swing through Thursday and Friday.

The critical remote-code execution vulnerability, CVE-2025-53770, has an initial CVSS score of 9.8 and allows attackers to intrude unauthenticated systems with full access to files, internal configurations and code execution. The defect is a variant of CVE-2025-49706, which was patched in Microsoft’s security update earlier this month. 

The new widely exploited defect “reflects a bypass around Microsoft’s original patch” for CVE-2025-49706, Dewhurst said. Microsoft confirmed attacks are targeting on-premises SharePoint server customers by exploiting vulnerabilities partially addressed in the company’s July security update.

“Attackers are bypassing identity controls, including multi-factor authentication and single sign-on, to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys,” Sikorski added. 

“The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold. If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point,” he said. “Patching alone is insufficient to fully evict the threat.”

Palo Alto Networks Unit 42 said attackers are targeting organizations worldwide by dropping malicious ASPX payloads via PowerShell and stealing SharePoint servers’ internal cryptographic machine keys to maintain persistent access. 

“The theft of the MachineKey is critical because it allows attackers persistent, unauthenticated access that can bypass future patching,” Austin Larsen, principal threat analyst at Google Threat Intelligence Group, said in a LinkedIn post Saturday. “Organizations with vulnerable, public-facing SharePoint instances must urgently investigate for compromise and be prepared to rotate these keys to fully remediate the threat.”

Researchers at Eye Security said they’ve observed at least two waves of attacks as part of the mass exploitation campaign, and upon scanning more than 8,000 public-facing SharePoint servers determined the exploit is systemic. 

“Within hours, we identified more than dozens of separate servers compromised using the exact same payload at the same filepath. In each case, the attacker had planted a shell that leaked sensitive key material, enabling complete remote access,” Eye Security said in a blog post Saturday.

Attribution efforts are ongoing, but early signs point to nation-state attackers focused on persistence, Dewhurst said. “As always, when there is mass attention to a vulnerability, crime gangs and other threat actor groups will follow, which is what we’re seeing now.”

Shadowserver, which is working with Eye Security and watchTowr to notify impacted organizations, said its scans found about 9,300 SharePoint servers exposed to the internet daily.

“CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action. Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations,” Chris Butera, acting executive assistant director at CISA, said in a statement. “CISA encourages all organizations with on-premise Microsoft Sharepoint servers to take immediate recommended action.”

Microsoft declined to answer questions, as its top security executives issued updates on social media throughout the weekend, noting that the company is working urgently to release patches for all impacted versions of SharePoint. The cloud-based version of SharePoint in Microsoft 365 is not impacted.

“We’re fairly certain it’s for once acceptable to call this a close-to-worst-case scenario. We spent the weekend trying to alert organizations to their exposure and, in some cases, were forced to watch them get compromised in real-time,” Dewhurst said.

“The sad reality is that we’ll see this vulnerability exploited long into the future as organizations fail to patch or as attackers return to regain access after stealing cryptographic keys, as has been seen heavily in activity this weekend,” he said.

Sikorski noted that SharePoint’s deep integration with Microsoft’s platform, which contains all the information valuable to an attacker, makes this especially concerning. “A compromise doesn’t stay contained — it opens the door to the entire network,” he said.

“An immediate, Band-Aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,” Sikorski added. “A false sense of security could result in prolonged exposure and widespread compromise.”