Microsoft SharePoint Zero-Day Threat Exploited by Hackers, Affects U.S. Government Agencies
Microsoft has released critical patches for a zero-day vulnerability in its SharePoint Server software after hackers exploited the flaw to compromise over 400 servers globally, including several major U.S. government agencies. The attack, which leverages a previously undocumented exploit chain dubbed ‘ToolShell,’ highlights the urgent need for cybersecurity measures in organizations that use on-premise versions of the platform.
According to cybersecurity firm Eye Security, the vulnerability was first identified in mid-July and rapidly weaponized to target real-world organizations. The exploit allows attackers to breach SharePoint servers, steal data, and maintain long-term access even after the system has been patched. This is achieved by stealing cryptographic keys used for authentication, enabling hackers to impersonate legitimate users, services, and even gain access to connected Microsoft services such as Outlook, Teams, and OneDrive.
The exploit chain, known as ‘ToolShell,’ was based on vulnerabilities demonstrated at the Pwn2Own security conference earlier this year. While those exploits were initially shared as research for security assessments, cybercriminals have now turned them into a real-world threat. The vulnerability affects all on-premise versions of SharePoint, making it a high-risk target for organizations, especially those in the U.S. federal government, education, and private sectors.
National security experts have raised concerns over the potential for this exploit to be used by state-sponsored cyber actors, including the possibility of Chinese espionage avenues. The National Nuclear Security Administration (NNSA), Department of Education, Florida’s Department of Revenue, and the Rhode Island General Assembly have all been reported as compromised, with Microsoft confirming that the NNSA was targeted but not confirming a successful breach.
Microsoft has acknowledged the security incident, confirming that ‘active attacks’ were taking place and releasing patches for all supported on-premise versions of SharePoint Server 2016, Server 2019, and the Subscription Edition. However, the number of affected organizations is growing rapidly, with researchers now estimating that over 400 SharePoint servers have been compromised worldwide, although the exact number of affected entities remains unclear.
Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent recommendations to organizations, including disconnecting vulnerable servers from the internet, applying patches, rotating cryptographic keys, and monitoring systems for signs of unauthorized access. Companies using on-premise SharePoint are advised to take immediate action to secure their data, with steps including patching systems, enabling security logging, and transitioning to SharePoint Online where possible.
The incident underscores the rapidly evolving threat landscape, where research into security flaws is being turned into real-world attacks within a short timeframe. This has raised calls for more stringent oversight and regulations on the use of secure software in government and critical infrastructure sectors. Cybersecurity experts are now urging increased collaboration between private and public entities to enhance defenses against such threats.
For organizations that rely on on-premise SharePoint, the incident serves as a stark reminder of the potential risks associated with outdated infrastructure and the importance of proactive cybersecurity measures. As the threat landscape continues to evolve, it is crucial for businesses and governments to remain vigilant, invest in robust security frameworks, and stay informed about emerging threats to protect their data and operations.