Microsoft SharePoint Zero-Day Exploited in Global Attacks, Emergency Patch Released

Microsoft is scrambling to contain a widespread cybersecurity crisis as attackers exploit a critical zero-day vulnerability in SharePoint Server before the company could issue a fix. The vulnerability, now patched in emergency out-of-band updates, affects SharePoint Enterprise Server 2016 and 2019, putting thousands of government agencies and corporations at risk.

The flaw (CVE-2025-XXXXX) resides in SharePoint's ToolShell component, allowing authenticated attackers to execute arbitrary code remotely. Security researchers have observed active exploitation since at least early July 2025, with attack volumes spiking dramatically last week. Microsoft's Security Response Center described the situation as 'an urgent and active threat' requiring immediate action.

According to telemetry data, approximately 10,000 organizations worldwide may be vulnerable, particularly those using SharePoint for document management and collaboration. The attacks appear highly targeted, focusing on government entities in North America and Europe, along with enterprises in the financial and healthcare sectors.

Technical analysis reveals the exploit chain involves:

Microsoft's emergency patch completely disables the vulnerable ToolShell functionality while maintaining backward compatibility. The company has also released detection scripts to help identify potential compromises.

Cybersecurity teams should prioritize:

The incident highlights growing concerns about enterprise collaboration platforms becoming prime targets for advanced threat actors. With SharePoint's deep integration into organizational workflows, successful compromises can provide attackers with extensive access to sensitive documents and communication channels.