Microsoft Hit With ‘Active’ Cyberattacks On Servers At Customer Sites, Impacting Government Agencies, Businesses: Experts Say ‘Significant Vulnerability’

Microsoft Corp. (MSFT) said Sunday that on-premises SharePoint Server customers are being targeted by “active” cyberattacks. The company has released a security update for SharePoint Subscription Edition to mitigate the threat and urged customers to apply the patch immediately.

The company provided detailed instructions regarding the fix in a blog post. It, however, clarified that SharePoint Online wasn’t affected. 

Microsoft stock was little changed in the overnight session. The stock has gained about 22% year-to-date.

On Stocktwits, sentiment toward Microsoft stock stayed ‘neutral’, and the message volume also remained at a ‘normal’ level.

The federal government also made an announcement in this regard. The Cybersecurity and Infrastructure Security Agency (CISA) said it is “aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorized access to on-premise SharePoint servers.”

“This exploitation activity, publicly reported as 'ToolShell,’ provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.”

The Washington Post reported that hackers exploited a major security flaw that Microsoft had left unpatched, launching a global attack on government agencies and businesses over the past few days. 

The report said, citing state officials and private researchers, that U.S. federal and state agencies, universities, energy companies, and an Asian telecommunications company were impacted. 

Called a “Zero-day” attack as it targeted a previously unknown vulnerability, it is a “significant vulnerability,” CrowdStrike Senior VP Adam Meyers said, according to the Post. 

“Anybody who’s got a hosted SharePoint server has got a problem.” 

Pete Renals, a senior manager with Palo Alto Networks’ Unit 42, said, “We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available.”

The Post reported that Microsoft has asked users to modify SharePoint server programs or disconnect the servers from the internet, but hasn’t deployed a patch. 

Netherlands-based research company Eye Security said, “On the evening of July 18, 2025, Eye Security identified active, large-scale exploitation of a new SharePoint remote code execution (RCE) vulnerability chain, dubbed ToolShell.”

Researchers expressed concerns that the hackers have gained access to keys that will allow them to re-enter even after a system is patched.

“So pushing out a patch on Monday or Tuesday doesn’t help anybody who’s been compromised in the past 72 hours,” said a researcher who spoke on the condition of anonymity to the Post.

Four years ago, Chinese agents sought to exploit a vulnerability in Microsoft’s Exchange Server email and calendar software, according to CNBC.

For updates and corrections, email newsroom[at]stocktwits[dot]com.

Editor’s note: This article was updated to include additional context regarding Chinese-linked cyberattacks that previously targeted Microsoft software four years ago.

Read Next: US Stock Futures Flat As Tech Earnings Begin To Trickle In — Strategist Says ‘No Signs Of Froth’ Despite Nasdaq’s 5th Straight Record Close