Microsoft has issued emergency security updates to address a critical zero-day vulnerability in SharePoint Server that cybercriminals have exploited to breach US federal and state agencies, universities, energy companies, and organizations worldwide.

The vulnerability affects only on-premises SharePoint servers and allows unauthenticated attackers to execute code remotely and gain full access to SharePoint content, including file systems and internal configurations. SharePoint Online and Microsoft 365 services are not impacted.

Multiple security researchers report that over 85 servers have been compromised worldwide, with Eye Security telling BleepingComputer that over 29 organizations have already been compromised by the attacks.

Security researchers first detected mass exploitation on the evening of July 18, 2025, with attacks continuing through July 19. Eye Security, which discovered the flaw, reported finding dozens of systems actively compromised during two waves of attack during this period.

Microsoft formally attributed the exploitation campaign to three China-linked threat groups, with evidence showing these actors were active as early as July 7, 2025 - over a week before the mass exploitation was initially detected.

The US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities Catalog on July 20, describing the exploitation activity as providing unauthenticated access to systems and enabling malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.

Microsoft acknowledged the active attacks in a customer advisory published Saturday, stating it was aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.

The vulnerability is a variant of a previously identified security flaw, which Microsoft had attempted to patch in its July 8 security update but was only partially addressed. Attackers have been using an exploit chain dubbed "ToolShell" that combines multiple SharePoint vulnerabilities to maintain persistent access to compromised systems.

According to research company Eye Security, attackers are not only stealing data but also stealing the SharePoint server's MachineKey configuration, including the ValidationKey and DecryptionKey, to maintain persistent access. These cryptographic keys allow attackers to regain entry even after systems are patched.

Microsoft released security updates on Sunday for SharePoint Server 2019 and SharePoint Subscription Edition, with additional patches for SharePoint Server 2016 following on Monday evening. The company has been coordinating closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners around the world throughout our response.

For organizations that cannot immediately apply patches, Microsoft recommends configuring Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Microsoft Defender Antivirus on all SharePoint servers. Organizations unable to enable AMSI are advised to disconnect their SharePoint servers from the internet until patches can be applied.

Australia's Cybersecurity Centre (ACSC) has issued an advisory acknowledging the vulnerability and recommending that Australian organisations should review their networks for use of vulnerable instances of the Microsoft Office SharePoint Server products and consult Microsoft's customer advisory for mitigation advice.

The ACSC notes that the vulnerability involves the deserialisation of untrusted data in on-premises Microsoft SharePoint Servers allowing an unauthorised attacker to execute code over a network. Organizations requiring assistance can contact the ACSC via 1300 CYBER1.