Home > Explainer > What Is A ‘Zero-Day’ Exploit? Microsoft SharePoint Hack Putting Govts at Risk | Explained

What Is A ‘Zero-Day’ Exploit? Microsoft SharePoint Hack Putting Govts at Risk | Explained

A serious zero-day vulnerability in Microsoft SharePoint has triggered global cyberattacks, affecting governments and businesses. Experts have warned of widespread risks as Microsoft races to patch affected versions. Meanwhile, US agencies and cybersecurity firms have urged urgent mitigation steps.

Published By: Kriti Dhingra
Published: July 22, 2025 10:11:00 IST

A newly discovered ‘zero-day’ vulnerability in Microsoft SharePoint has been actively exploited by hackers, prompting urgent warnings from cybersecurity agencies and a fast-tracked response from Microsoft. The software, widely used by businesses and governments to manage internal documents and communication, has become the latest target in a series of high-profile cyberattacks in recent months. Here is all you need to know about what has happened, who is affected, why it matters, and what you should do.

What Is Happening?

Microsoft issued an alert over the weekend, acknowledging the exploit and releasing emergency security patches for SharePoint Server 2019 and SharePoint Subscription Edition. A fix for SharePoint Server 2016 is still in the works.

“This is a significant vulnerability,” Adam Meyers, senior VP at CrowdStrike, told The Associated Press, adding, “Anybody who has got a hosted SharePoint server has got a problem.”

What Is a Zero-Day Exploit?

A zero-day exploit refers to a vulnerability that is exploited by attackers before developers become aware and can issue a fix. According to the US Cybersecurity and Infrastructure Security Agency (CISA), the exploit is “a variant of the existing vulnerability CVE-2025-49706” and can allow unauthorised access to file systems, internal configurations, and even execution of malicious code over a network, as reported by The Associated Press.

Security experts have warned that the exploit, also called “ToolShell,” may allow attackers to bypass future patches entirely. Google’s Threat Intelligence Group, the report said, has flagged it as particularly dangerous for this reason.

ALSO READ: Cyberattack On Microsoft’s Software SharePoint Leaves About 100 Organizations At Risk

Who/What Is Affected?

While Microsoft has insisted that the vulnerability does not impact cloud-based SharePoint Online, it does, however, affect on-premise servers, often used by governments, schools, hospitals and large businesses.

A Washington Post report stated that at least two US federal agencies were breached. According to Dutch cybersecurity firm Eye Security, attacks began around July 18, and their scan of over 8,000 SharePoint servers revealed dozens already compromised.

The Shadowserver Foundation and Sophos estimate that around 100 organisations, mostly in the US and Germany, have been affected so far, Reuters reported.

What Is Being Done?

Microsoft is “coordinating closely with CISA, DOD Cyber Defense Command and key cybersecurity partners globally throughout our response,” a company spokesperson told Reuters.

As of Monday, patches were only available for newer SharePoint versions, with reports suggesting that the SharePoint 2016 version remains vulnerable, prompting officials to recommend disconnecting affected servers from the internet until patched.

“Organisations should apply all relevant patches, rotate all cryptographic material, and engage professional incident response,” the AP quoted Michael Sikorski, CTO at Palo Alto Networks’ Unit 42, as saying.

ALSO READ: What Is Dark Web? Everything You Need To Know About The Internet’s Hidden Side

Not The First Breach Reported: A Pattern of Vulnerbailities?

The latest breach comes amid growing scrutiny of Microsoft’s cybersecurity practices. In 2023, Chinese hackers had exploited a flaw in Microsoft Exchange to access emails of American officials, per a Forbes report. A subsequent White House-commissioned Cyber Safety Review Board had subsequently criticised Microsoft for a “cascade of avoidable errors.”

While the origin of the current exploit remains unclear, Google’s Threat Intelligence, a Reuters report suggests, has linked parts of the operation to a “China-nexus threat actor.” The FBI and the UK’s National Cyber Security Centre both confirmed they are tracking the campaign.

What Should You Do?

If your organisation runs on-premise SharePoint, immediate action is advisable. Microsoft’s advisory recommends:

  • Applying available patches
  • Disconnecting servers temporarily
  • Rotating encryption keys
  • Conducting a full incident response review

“Just applying the patch isn’t all that is required here.. taking an assumed breach approach is wise,” Reuters quoted  Daniel Card of PwnDefend as saying.

ALSO READ: What Is The GENIUS Act? Trump Signs First US Stablecoin Law

RELATED News

LATEST NEWS

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?