The Cybersecurity and Infrastructure Security Agency (CISA) said it is “aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorized access to on-premise SharePoint servers.”
Microsoft (MSFT) said Sunday that its on-premises SharePoint server customers have been targeted by “active” cyberattacks, a year after a CrowdStrike (CRWD) update affected millions of the software giant’s computer systems worldwide.
The Satya Nadella-led company said it has released a security update for “SharePoint Subscription Edition” to mitigate the attacks and recommended that customers apply the update immediately.
Microsoft provided detailed instructions regarding the fix in a blog post. It, however, clarified that SharePoint Online wasn’t affected.
Microsoft stock was little changed in the overnight session. The stock has gained about 22% year-to-date.
On Stocktwits, sentiment toward Microsoft stock stayed ‘neutral’, and the message volume also remained at a ‘normal’ level.
The federal government also made an announcement in this regard. The Cybersecurity and Infrastructure Security Agency (CISA) said it is “aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorized access to on-premise SharePoint servers.”
“This exploitation activity, publicly reported as 'ToolShell,’ provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.”
The Washington Post reported that hackers exploited a major security flaw that Microsoft had left unpatched, launching a global attack on government agencies and businesses over the past few days.
The report said, citing state officials and private researchers, that U.S. federal and state agencies, universities, energy companies, and an Asian telecommunications company were impacted.
Called a “Zero-day” attack as it targeted a previously unknown vulnerability, it is a “significant vulnerability,” CrowdStrike Senior VP Adam Meyers said, according to the Post.
“Anybody who’s got a hosted SharePoint server has got a problem.”
Pete Renals, a senior manager with Palo Alto Networks’ Unit 42, said, “We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available.”
The Post reported that Microsoft has asked users to modify SharePoint server programs or disconnect the servers from the internet, but hasn’t deployed a patch.
Netherlands-based research company Eye Security said, “On the evening of July 18, 2025, Eye Security identified active, large-scale exploitation of a new SharePoint remote code execution (RCE) vulnerability chain, dubbed ToolShell.”
Researchers expressed concerns that the hackers have gained access to keys that will allow them to re-enter even after a system is patched.
“So pushing out a patch on Monday or Tuesday doesn’t help anybody who’s been compromised in the past 72 hours,” said a researcher who spoke on the condition of anonymity to the Post.
For updates and corrections, email newsroom[at]stocktwits[dot]com.<