The SharePoint Vulnerability – A Wake-Up Call for Cybersecurity in an Interconnected World

It is an attack that once again reveals how vulnerable even the most established IT infrastructures can be: Over the weekend, Microsoft released an emergency patch for a critical vulnerability in its widely used SharePoint software. The flaw, which is already being actively exploited by hackers, affects not only companies around the world but also several U.S. government agencies. The full extent of the damage is not yet known, but experts are warning of a “significant risk” to all organizations still operating locally hosted SharePoint servers.

The attack is based on a so-called zero-day exploit – a cyberattack that targets a previously unknown vulnerability for which there is no protection at the time of the attack. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), this is a variant of the known vulnerability CVE-2025-49706, specifically targeting on-premise installations of SharePoint Server. The affected versions are particularly 2019 and the Subscription Edition – for the older 2016 version, Microsoft is still working on a complete fix. Security researchers warn that the exploit, known as “ToolShell,” not only allows attackers full access to SharePoint file systems but also to connected services like Microsoft Teams, OneDrive, and integrated identity providers. Especially alarming is the warning from Google’s Threat Intelligence Group that this flaw could potentially allow attackers to bypass future security updates.

The scope of the problem is currently only beginning to emerge. Dutch security firm Eye Security scanned more than 8,000 SharePoint servers worldwide and identified dozens of compromised systems. The attacks reportedly began as early as July 18 – an eternity in the world of cybersecurity. While the cloud-based version SharePoint Online is not affected, Michael Sikorski of Palo Alto Networks warns against underestimating the danger: “On-premise deployments, especially within government agencies, schools, hospitals, and large enterprises, are now at immediate risk.” This is not just an attack on IT structures – it is a direct threat to central supply systems, public administration, and critical services.

What must be done now cannot be reduced to waiting. Microsoft has released specific updates for the Subscription Edition and SharePoint Server 2019, which should be installed immediately. For SharePoint 2016, the interim steps provided should be implemented consistently until a full fix is available. Key measures include enabling or verifying the Antimalware Scan Interface Integration (AMSI) in SharePoint, deploying an up-to-date endpoint protection solution such as Defender for Endpoint, and promptly rotating the ASP.NET Machine Keys – those cryptographic materials whose compromise could create persistent backdoors. CISA advises organizations showing signs of compromise to immediately disconnect affected servers from the internet until they are fully hardened. Anyone unable to activate AMSI or patch promptly should proactively pull the plug. In addition, both CISA and leading incident response teams recommend forensic inspection, comprehensive log analysis, and a complete key rotation across all connected SharePoint environments, as vertical follow-on damage via linked services is a serious possibility. The incident highlights once again: cybersecurity is not a peripheral issue – it is the backbone of functioning systems in both state and society.

Investigative journalism requires courage, conviction, and means.