Microsoft warns governments and businesses of active “Zero‑Day” attacks targeting SharePoint servers exploiting a critical zero‑day vulnerability in its SharePoint Server software, impacting government agencies, private enterprises, and educational institutions worldwide. The announcement, made in a security alert on July 19–20, underscores an escalating cyber‑espionage campaign targeting on‑premises deployments while leaving cloud‑based SharePoint Online unaffected .

Microsoft warns governments and businesses about active zero day attacks. Here are key details.

Microsoft Warns Governments and Businesses of Active “Zero‑Day” Attacks Targeting SharePoint Servers

Microsoft warns governments and Businesses of active zero day attacks targeting SharePoint servers. Interested in learning more? Read on to find out more.

Scope of the Attack & Affected Targets

Unnamed threat actors have leveraged a hitherto undisclosed vulnerability to launch a series of remote code execution exploits via a “ToolShell” attack chain. This zero‑day vulnerability, now tracked as CVE‑2025‑53770 (and in some cases CVE‑2025‑53771 by follow‑on patches), allows unauthenticated attackers to bypass normal security controls, upload web shells, move laterally within networks, and extract sensitive cryptographic material such as machine‑key configurations.

Private researchers—including Google Threat Intelligence, Eye Security, and Palo Alto Networks’ Unit 42—have detected dozens of severely compromised servers and reported a large‑scale exploitation effort that began around July 18–19.

Impacted systems span multiple sectors, including U.S. federal and state agencies, universities, energy infrastructure companies, and a major Asian telecommunications provider. While the exact number of compromised servers remains unclear, analysts estimate that tens of thousands of SharePoint Server instances are at risk.

Nature and Severity of the Vulnerability

The exploit chain combines two critical flaws: CVE‑2025‑49706 (spoofing vulnerability) and CVE‑2025‑49704 (remote code execution). Attackers leveraged these to establish a foothold and escalate privileges without authentication. The newly assigned CVE‑2025‑53770 is essentially a variant or chained iteration of these earlier bugs. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added the vulnerability to its Known Exploited Vulnerabilities catalog, emphasizing its urgency.

CrowdStrike’s Adam Meyers warned: “Anybody who’s got a hosted SharePoint server has got a problem”. With a CVSS score of 9.8 — on the threshold of “critical”—the exploit enables full server takeover, persistent access via web shells, and exfiltration of sensitive data.

Microsoft Warns Governments and Businesses of Active “Zero‑Day” Attacks : Response and Remediation Steps

Microsoft warns governments and businesses of active exploits and stated that they are coordinating closely with CISA, the Department of Defense Cyber Defense Command, FBI, and other global cybersecurity partners. In its advisory, the company emphasized that only on‑premises SharePoint Server installations (2016, 2019, and Subscription Edition) are affected; SharePoint Online (part of Microsoft 365) remains secure.

As of July 20–21, Microsoft released emergency patches for Subscription Edition and SharePoint 2019 (via KB5002768 and KB5002754), with updates for SharePoint 2016 still pending. 

Their recommendation for now:

1. Immediate patching – subscription and 2019 editions prioritized.

2. Enable AMSI integration and deploy Defender Antivirus to block unauthorized payloads.

3. Deploy Defender for Endpoint or equivalent endpoint detection tools to identify post‑exploit activity.

4. Disconnect vulnerable servers from the internet if mitigation tools cannot be activated.

5. Rotate machine‑key configurations and restart IIS to invalidate any stolen credentials.

Microsoft emphasized that long-term protection involves applying these security updates and regularly performing threat-hunting activities to detect and eradicate any persistent backdoors.

Microsoft Warns Governments and Businesses of Active “Zero‑Day” Attacks: Implications and Reactions

Security Week notes that Google’s intelligence team observed attackers installing web shells and exfiltrating cryptographic keys, enabling silent, persistent server control. Experts warn the ToolShell exploit is especially insidious because it blends into normal SharePoint traffic, complicating detection.

This incident echoes Microsoft’s 2021 Exchange Server breach—another zero‑day compromise that affected hundreds of thousands of servers and exposed deep supply‑chain vulnerabilities. Those attacks highlighted persistent challenges in defending on‑premises software in an increasingly hostile cyber landscape.

Final Word for Administrators

Organizations operating on‑premises SharePoint servers must act without delay:

• Deploy Microsoft’s July 2025 security updates immediately.

• Enable AMSI and use endpoint protection tools.

• Segregate vulnerable servers from public‑facing networks until fully secured.

• Investigate any signs of compromise—including suspicious .aspx files or web‑shell indicators—and rotate machine keys.

• Remain vigilant for secondary CVE‑2025‑53771 patches, especially for 2016 systems.

With tens of thousands of vulnerable servers still exposed and skilled adversaries actively exploiting them, the imperative for swift response cannot be overstated. For now, Microsoft’s emergency patches and hardening guidelines are the frontline defense—provided they are deployed in time.

Microsoft warns governments and businesses of active “Zero‑Day” attacks. What steps are you taking to protect your business from these attacks? Share it with us in the comments section below.