Microsoft SharePoint vulnerability: Why MS has released a 'zero-day' urgent update and who is at risk

Microsoft has released an urgent patch for a critical "zero-day" vulnerability in its SharePoint software, after confirming that the flaw was actively exploited by hackers targeting businesses and U.S. government agencies. The company confirmed the vulnerability and issued the fix between July 19 and 20, while security agencies have advised affected organisations to disconnect unpatched servers from the internet.

What is the SharePoint zero-day vulnerability?

The vulnerability, found in Microsoft SharePoint, is a type of zero-day flaw. Zero-day vulnerabilities refer to unknown security issues that attackers can exploit before developers have time to release a fix. Microsoft SharePoint is widely used by organisations for internal file sharing, team collaboration, and document management.

In an alert issued on Saturday, July 19, Microsoft confirmed that the vulnerability was already being exploited. A day later, on Sunday, July 20, the company issued guidance for applying security patches to SharePoint Server 2019 and SharePoint Server Subscription Edition. Microsoft said it was still working on a patch for SharePoint Server 2016.

Microsoft Sharepoint: Older servers still at risk

Microsoft’s fix currently covers only the newer versions of the software. Users of SharePoint Server 2016 will remain exposed until a patch is developed. Experts warn that any organisation running on-premise SharePoint servers should treat the situation as urgent.

Adam Meyers, senior vice president at cybersecurity firm CrowdStrike, told the Associated Press, "Anybody who's got a hosted SharePoint server has got a problem." He added, "It's a significant vulnerability."

When did the attacks begin?

According to cybersecurity company Eye Security, attackers may have started exploiting the vulnerability as early as July 18. The company said it scanned over 8,000 SharePoint servers globally and found that at least dozens had been compromised.

Security researchers identified the exploit as “ToolShell,” which reportedly allows attackers full access to SharePoint file systems. Services integrated with SharePoint, such as Microsoft Teams and OneDrive, are also at risk. Google's Threat Intelligence Group warned that the flaw could even enable attackers to "bypass future patching."

Government warning and recommended action

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has described the exploit as "a variant of the existing vulnerability CVE-2025-49706" and said it threatens organisations using on-premise SharePoint servers. The agency urged affected entities to take their servers offline until they are patched, warning that the impact of the breach could be widespread.