A critical cyberattack exploiting a zero-day vulnerability in Microsoft’s self-hosted SharePoint Server has impacted more than 100 organizations worldwide, according to cybersecurity researchers. The flaw, identified as CVE-2025-49706 and dubbed "ToolShell," allowed hackers to gain administrative access, steal cryptographic keys, and move laterally within affected networks.

The breach, first detected around July 18, 2025, has been linked to a likely single threat actor, with some researchers pointing to a potential China-based nexus. Victims span multiple sectors, including government agencies, energy firms, healthcare providers, banks, academic institutions, and telecommunications companies across the United States, Europe, Asia, and Latin America.

Security firms Eye Security and Shadowserver have confirmed at least 100 compromised systems, although over 8,000 to 10,000 vulnerable servers may still be exposed. Microsoft SharePoint Server 2019 and Subscription Edition were the primary targets, while SharePoint Online (part of Microsoft 365) remains unaffected. Microsoft SharePoint Server 2016 is still awaiting a patch, increasing concerns for institutions using the older software.

In response, Microsoft issued emergency patches on July 20 for the affected versions and urged immediate implementation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and the UK’s National Cyber Security Centre (NCSC), have launched investigations and issued technical guidelines for mitigation. These include disconnecting vulnerable servers, rotating encryption keys, isolating impacted systems, and conducting forensic analysis to detect backdoors or lateral movement.

Experts caution that patching alone is insufficient and advise organizations to assume their networks may already be compromised. Companies are being urged to perform thorough threat hunting, audit credentials and certificates, and engage cybersecurity response teams for comprehensive remediation.

This attack recalls the 2021 Microsoft Exchange Server breach, highlighting ongoing risks posed by sophisticated adversaries targeting on-premises infrastructure. With thousands of systems still potentially at risk, cybersecurity professionals warn that immediate action is necessary to contain further spread and prevent long-term damage.