Microsoft Issues Urgent Security Alert Over Active Attacks on SharePoint Servers
Microsoft has issued an urgent security alert, warning of “active attacks” targeting SharePoint servers used by government agencies and businesses across the globe. These attacks, identified over the weekend, exploit a previously unknown vulnerability in the document-sharing software, prompting immediate action from both Microsoft and federal investigators.
The Federal Bureau of Investigation (FBI) confirmed on Sunday that it is aware of the incidents and is working with federal and private-sector partners to address the threat. While details remain limited, the situation highlights a growing concern in the cybersecurity landscape.
Why This Matters
This zero-day attack represents a significant cybersecurity threat to organizations that rely on SharePoint for internal document management and collaboration. The vulnerability affects government agencies, schools, healthcare systems—including hospitals—and large enterprise companies. Attackers have been bypassing multi-factor authentication and single sign-on protections to gain privileged access.
One key point to understand is that the vulnerability affects only on-premises SharePoint servers used within organizations, not Microsoft’s cloud-based SharePoint Online service. This distinction is critical for IT teams assessing their risk exposure.
What Experts Are Saying
Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, shared insights into the nature of the attacks. He stated that “attackers are bypassing identity controls, including MFA and SSO, to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys.”
According to Sikorski, the attackers have already established footholds in compromised systems, making patching alone insufficient to fully remove the threat. The compromise extends beyond SharePoint due to its deep integration with Microsoft’s platform, including Office, Teams, OneDrive, and Outlook. “What makes this especially concerning is SharePoint’s deep integration with Microsoft’s platform,” he said. “A compromise doesn’t stay contained—it opens the door to the entire network.”
Microsoft’s Response
Microsoft has released a security update for SharePoint Subscription Edition and is developing patches for 2016 and 2019 versions. The company recommends that organizations unable to immediately apply protective measures should disconnect their servers from the internet until updates become available.
The Microsoft Security Team emphasized the importance of applying updates as soon as possible. They stated, “We recommend security updates that customers should apply immediately.”
CISA and FBI Comments
The Cybersecurity and Infrastructure Security Agency (CISA) also addressed the issue, stating that it is aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorized access to on-premise SharePoint servers. The vulnerability, designated as CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations.
CISA noted that the exploitation activity, publicly reported as “ToolShell,” provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.
The FBI confirmed in an email response that it is “aware of the attacks and working closely with federal and private-sector partners.” However, they declined to provide additional operational details.
What Comes Next
Organizations using affected SharePoint versions face immediate decisions about disconnecting servers from the internet until patches become available. Palo Alto Networks is actively notifying affected customers and working closely with Microsoft’s Security Response Center to provide updated threat intelligence.
Microsoft continues developing patches for older SharePoint versions, though timeline details have yet to be announced. As the situation evolves, organizations must remain vigilant and take swift action to protect their systems.
Ongoing Concerns
The incident underscores the growing complexity of modern cyber threats and the need for proactive security measures. With the integration of SharePoint into broader Microsoft ecosystems, a breach in one area can quickly escalate into a larger network-wide compromise.
As more details emerge, it is clear that this is a high-severity, high-urgency threat. Organizations are being urged to apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response teams if necessary.
