Hackers have leveraged a serious vulnerability in Microsoft’s widely used SharePoint software to infiltrate government agencies, businesses, and institutions worldwide, according to cybersecurity experts and officials. “Hackers exploited a security flaw in common Microsoft Corp. software to breach governments, businesses and other organizations across the globe and steal sensitive information,” Bloomberg reports.
Over the weekend, Microsoft issued a patch for the vulnerability affecting SharePoint servers but is still rolling out additional fixes. “Microsoft said it was still working to roll out other fixes after warnings that hackers were targeting SharePoint clients, using the flaw to enter file systems and execute code.” Security firms CrowdStrike and Google’s Mandiant confirm that multiple groups are exploiting the flaw simultaneously.
According to a person familiar with the matter, attackers have already penetrated the systems of national governments in Europe and the Middle East, as well as several U.S. agencies, including the Department of Education, Florida’s Department of Revenue, and the Rhode Island General Assembly. “The SharePoint vulnerability is being investigated ‘at multiple levels of government,’” said Florida Department of Revenue spokesperson Bethany Wester Cutillo, though she added the department “does not comment publicly on the software we use for operations.”
Bloomberg reviewed a cybersecurity report indicating that hackers also targeted a U.S. healthcare provider and a Southeast Asian university, and attempted breaches in countries ranging from Brazil and Canada to Switzerland and South Africa. In some intrusions, attackers reportedly stole login credentials, including usernames, passwords, and tokens. “This is a high-severity, high-urgency threat,” said Michael Sikorski, CTO and head of threat intelligence at Palo Alto Networks. “What makes this especially concerning is SharePoint’s deep integration with Microsoft’s platform… A compromise doesn’t stay contained—it opens the door to the entire network.”
Tens of thousands of organizations use SharePoint for document storage and collaboration, especially those with on-premise deployments, which Microsoft says are the primary targets of these attacks. A spokesperson for the company declined to comment further beyond its initial statement.
Cybersecurity firm Censys estimates more than 10,000 companies are at risk, most of them in the U.S., followed by the Netherlands, UK, and Canada. “It’s a dream for ransomware operators,” said Silas Cutler, a Censys researcher.
These developments raise new concerns about Microsoft’s security posture. Despite recent efforts to improve internal processes and hire top government security talent, the company has faced repeated, high-profile breaches. A 2024 U.S. government report criticized Microsoft’s “security culture” and called for urgent reforms.
Randy Rose of the Center for Internet Security revealed that over 1,100 U.S. state and local government servers are potentially vulnerable, with more than 100 already believed to be compromised.
The Washington Post has also reported intrusions at federal and state agencies, universities, energy companies, and a major Asian telecom firm. Eye Security, the first to flag the wave of cyberattacks, says the flaw allows hackers to steal access keys and persist inside systems even after patching. “Hackers can maintain access through backdoors or modified components that can survive updates and reboots of systems,” explained Vaisha Bernard, Eye Security’s chief hacker.
Originally identified in May at a cybersecurity conference in Berlin, the SharePoint vulnerabilities — dubbed “ToolShell” — were thought to be patched by early July. But Bernard says that wasn’t enough. “There were ways around the patches,” he said. “That allowed these attacks to happen.” After scanning 8,000 servers, Bernard confirmed at least 50 had been compromised, including government bodies and multinational firms across North and South America, the EU, South Africa, and Australia.
Pump Radar
Stock Alerts