Critical SharePoint vulnerability: Thousands of servers at risk
Microsoft announced an ongoing global cyberattack on SharePoint servers, during which attackers exploit a new vulnerability, unofficially dubbed ToolShell. The company strongly recommends that all users immediately install security updates to prevent possible hacks, Kazinform News Agency correspondent reports.
The attacks are based on a recently discovered technique that allows malicious code to be introduced and full control over vulnerable servers. According to Microsoft, government agencies, universities, and large corporations using SharePoint with Internet access are targeted.
The vulnerabilities involved in the attacks are designated CVE-2025-49704 and CVE-2025-49706 and were initially closed by the July 8 update. However, new methods of bypassing protection led to the identification of additional vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which were fixed in the update on July 22.
According to the experts, the current threat is active and critical. Particularly dangerous are cases where SharePoint servers have external access, which makes it much easier to gain unauthorized access to confidential information.
Experts emphasize that the attack is not only ongoing, but also gaining momentum. Due to the deep integration of SharePoint with other Microsoft services such as Teams, OneDrive and Office, a successful hack of one node can lead to the compromise of the entire corporate IT infrastructure.
According to available data, up to 9,000 servers are at risk, and more than 100 organizations have already been attacked.
As earlier reported, Microsoft had previously issued an alert about "active attacks" on server software used by government agencies and businesses to share documents within organisations.
