Microsoft has issued an emergency security alert, warning that its widely used SharePoint servers, which are extensively utilized for document collaboration within government and enterprise settings, are facing a large-scale cyberattack. Attackers are exploiting unpatched vulnerabilities to infiltrate government agencies and critical infrastructure in multiple countries, prompting urgent interventions from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) of the United States.
Microsoft has released security updates for the SharePoint subscription edition and is currently developing patches for the 2016 and 2019 versions. Organizations unable to deploy protective measures immediately are advised to disconnect their servers from the network until the updates are available.
According to CISA and cybersecurity firm Palo Alto Networks, attackers are exploiting a zero-day vulnerability identified as CVE-2025-53770 to remotely execute code without authorization, bypassing multi-factor authentication (MFA) and single sign-on (SSO) protections to gain access to servers.
The Washington Post first reported on this cyberattack, revealing that unidentified attackers have targeted U.S. and international institutions and enterprises over the past few days using this vulnerability.
In a security advisory issued on Saturday (July 19th), Microsoft stated that the vulnerability only impacts SharePoint servers used internally within organizations, with SharePoint Online in the cloud-based Microsoft 365 remaining unaffected.
CISA spokesperson Marci McCarthy mentioned that a network security research company reported the incident on Friday and promptly contacted Microsoft.
CISA noted that the vulnerability is a variant of a previously known vulnerability, CVE-2025-49706, and the attack campaign has been dubbed “ToolShell”.
The FBI confirmed on Sunday that they are aware of these attacks and are cooperating with federal and private sectors to address them, although no further details were provided.
Michael Sikorski, the Chief Technology Officer at Palo Alto Networks, told Newsweek that once attackers breach a system, they can deploy persistent backdoors, steal sensitive data and encryption keys, facilitating continued access to the system in the future.
“It is particularly concerning that SharePoint is closely integrated with the Microsoft platform,” Sikorski stated. “Once compromised, it will be difficult to control – it opens the door to the entire network.”
Reports from cybersecurity firms and government officials indicate that this wave of attacks has impacted government agencies and enterprise users globally, including U.S. federal and state governments, energy companies, academic institutions, healthcare systems, as well as organizations in Europe and Asia.
According to tracking by Dutch cybersecurity firm Eye Security, the vulnerability has led to over 50 intrusion incidents, including an energy company in the U.S. and several European government agencies. Researchers mentioned that at least two federal agencies in the U.S. have had their servers compromised, but specific names cannot be disclosed due to victim confidentiality agreements.
The affected institutions reportedly include a government entity in Spain, a local entity in Albuquerque, U.S., a university in Brazil, and an Asian telecommunications company.
The mastermind behind this global cyberattack and its ultimate objectives remain unclear. A private research institute claimed that the hackers simultaneously targeted servers within China and a state parliament system on the U.S. East Coast.
Officials in a state on the U.S. East Coast revealed that hackers have “seized” a public document repository of the state, originally intended to provide government information to the public to aid in understanding government operations. The state is currently unable to access this content, and it is unclear if files have been deleted.
The Arizona Department of Cybersecurity mentioned that they are closely coordinating with states, localities, and indigenous organizations to assess potential risks and share intelligence.
Randy Rose, Vice President of the non-profit organization Center for Internet Security, stated that they have issued warnings to about 100 potential affected entities, including multiple public schools and universities.
The Washington Post highlighted that this incident has once again raised questions about Microsoft’s network security policies.
Last year, a group composed of government and industry experts criticized Microsoft for excessively centralized design leading to security gaps, and holding them accountable for failing to prevent Chinese hackers from infiltrating top-level U.S. government emails in 2023, including those of then-Commerce Secretary Gina Raimondo.
Recent media reports revealed that Microsoft had long permitted Chinese engineers to support the U.S. Department of Defense’s cloud initiatives, prompting Defense Secretary Pete Hegseth to order a comprehensive review.