Microsoft SharePoint servers used by companies and government agencies worldwide are under threat following the discovery of a major zero-day vulnerability. The flaw, which affects on-premises versions of the software, is currently being exploited by hackers to gain unauthorised access and impersonate users or services.
The issue was brought to light after cybersecurity experts observed active attacks exploiting the flaw. Microsoft acknowledged the vulnerability in an alert issued on 20 July and confirmed that it is working to patch affected systems. While cloud-based versions of SharePoint remain unaffected, organisations relying on local servers are urged to take immediate precautions.
Serious vulnerability exposes servers to data theft
The vulnerability was first identified by researchers at Dutch cybersecurity firm Eye Security on 18 July. According to their findings, the exploit allows attackers to steal authentication keys, which remain valid even after the server is restarted or updated. This means that compromised systems could still be at risk even after being patched unless specific steps are taken to remove the stolen credentials.
The exploit allows hackers to infiltrate SharePoint servers and then pivot to other connected services commonly used within organisations, such as Microsoft Outlook, Teams, and OneDrive. Through these systems, attackers can potentially harvest passwords, extract confidential data, and move laterally through networks.
Experts believe the vulnerability stems from a combination of two separate bugs, which were demonstrated at the Pwn2Own hacking competition in May. When used together, these flaws provide unauthenticated access to SharePoint servers—an especially dangerous capability for malicious actors.
Microsoft issues patches as global impact unfolds
Microsoft has released updates that offer full protection for SharePoint Server 2019 and SharePoint Subscription Edition. However, the company is still in the process of developing a fix for SharePoint Server 2016. In the meantime, administrators are advised to implement available workarounds and monitor their systems for signs of compromise.
The US Cybersecurity and Infrastructure Security Agency (CISA) is currently assessing the full scope and consequences of the attacks. CISA recommends that any server suspected of being compromised be disconnected from the internet until a complete patch is deployed and implemented.
According to a report by The Washington Post, the exploit has already been used to target various entities, including federal and state agencies in the US, academic institutions, energy sector firms, and a telecommunications company in Asia. The publication cited state officials and private cybersecurity researchers familiar with the matter.
Urgent action is needed to contain the threat
The incident highlights the growing risks associated with on-premises IT infrastructure, particularly in the face of increasingly sophisticated cyber threats. While Microsoft continues to address the issue, businesses are encouraged to remain vigilant and consider security audits of their systems.
Although no specific timeline has been provided for a complete resolution, organisations are expected to receive further guidance from Microsoft and cybersecurity agencies in the coming days.
