The UK's National Cyber Security Centre (NCSC) has spotted a "limited number" of British victims of the SharePoint zero day, known as "ToolShell," as victims of the vulnerability start to stack up globally,
Over the weekend, Microsoft warned about the threat of active attacks using a vulnerability in on-premise SharePoint servers that would allow hackers to execute code on a network.
Microsoft has advised admins to rollout updates immediately, though there isn't yet a fix for SharePoint 2016. SharePoint Online in Microsoft 365 isn't impacted by the zero day flaw, according to the tech giant.
Eye Security, which first spotted the flaw, said an early internet scan had spotted 100 organizations compromised using the flaw, largely in the US and Germany, though that was before the zero day was widely reported so the impact is expected to be much wider.
"Who knows what other adversaries have done since to place other backdoors," Vaisha Bernard, chief hacker at Eye Security, told Reuters.
Daniel Card of PwnDefend added: "The SharePoint incident appears to have created a broad level of compromise across a range of servers globally."
It's as yet unclear who is behind the attack, but Charles Carmakal, CTO at Google-owned Mandiant Consulting, reportedly said multiple groups of hackers are now using the vulnerability.
“At least one of the actors responsible for this early exploitation" is linked to China, he noted.
SharePoint attacks impact UK firms
The NCSC said that attacks making use of the SharePoint flaw had been detected in the UK.
"Microsoft and the NCSC are aware that an exploit for this vulnerability exists in the wild and have observed active attacks targeting on-premises SharePoint Server customers, including a limited number in the UK," the security agency said in an advisory.
The cybersecurity agency said any UK companies that are compromised by the flaw should report it to the agency.
US agencies hit
Beyond the UK, reports reveal that the SharePoint zero day has been used to compromise servers at two federal government agencies in the US, according to the Washington Post.
Microsoft has said it is working closely with US agencies including the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense Cyber Defence Command, while the FBI has said it is investigating alongside authorities in Australia, Canada, and beyond.
CISA's acting executive assistant director Chris Butera said in a statement that the agency was alerted to the zero day by a trusted partner and reached out to Microsoft.
"'Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations," Butera said.
"CISA encourages all organisations with on-premise Microsoft SharePoint servers to take immediate recommended action."
Targeted attack that gets past patches
Security company Rapid7 said it was observing active exploitation in its customers' environments and warned that the attack appeared targeted.
"This vulnerability is being used in widespread, aggressive campaigns to achieve RCE [remote code execution], establish persistent access, and extract cryptographic keys that allow attackers to forge valid authentication tokens," the company warned in a blog post.
"This campaign is not opportunistic — it is deliberate, capable, and designed for persistence even after patching."
Indeed, the firm noted that Microsoft said the flaw is related to one patched earlier this month, adding that the new vulnerability may be a "patch bypass".
"Microsoft has indicated that the patches for the new vulnerability, CVE-2025-53770, include more “robust protections” than the July update for the previous vulnerability CVE-2025-49704," Rapid7 said in its post.
The NCSC said two flaws are being used in the attack, pairing the SharePoint server zero day with a second used to sneak into systems.
"This vulnerability allows an attacker to remotely execute arbitrary code via the deserialization of untrusted data," the agency said.
"A separate vulnerability, CVE-2025-53771, allows this attack to be performed while bypassing authentication."
Any unpatchable systems should be disconnected from the internet in the meantime, said one security expert.
"We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response," Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, told AP News.
"An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- MCP servers used by developers and 'vibe coders' are riddled with vulnerabilities
- Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?
- Shifting left might improve software security, but developers are becoming overwhelmed
-
Dedicated servers are back in vogue as IT leaders scramble to meet AI, compliance requirementsNews They may seem old-fashioned, but the use of dedicated servers is on the rise
-
UK government strikes deal with OpenAI – here are all the big tech firms it’s working withNews Building on existing announcements, the UK civil service will have access to tools from the three most prominent AI developers
-
New hires are your weakest link when it comes to phishing attacks – here's how you can build a strong security culture that doesn't judge victimsNews Research from Keepnet shows new hires are far more likely to fall for phishing attacks – here's how you can improve security awareness during onboarding processes.
-
IT leaders are facing major work device blind spots – and it's putting security at riskNews The use of unauthorized devices is putting enterprises at huge risk
-
Microsoft’s new SharePoint vulnerability – everything you need to knowNews ToolShell allows unauthorized access to on-premises SharePoint servers
-
Okta and Palo Alto Networks are teaming up to ‘fight AI with AI’News The expanded partnership aims to help shore up identity security as attackers increasingly target user credentials
-
Despite the hype, cybersecurity teams are still taking a cautious approach to using AI toolsNews Research from ISC2 shows the appetite for AI tools in cybersecurity is growing, but professionals are taking a far more cautious approach than other industries.
-
A new, silent social engineering attack is being used by hackers – and your security systems might not notice until it’s too lateNews Security researchers have warned the 'FileFix' technique, which builds on the notorious 'ClickFix' tactic, is being used in the wild by threat actors.
-
MSPs emerge as key security partners for mid-market enterprisesNews The MSP Customer Insight Report reveals 85% of mid-sized organizations now rely on MSPs for security support
-
Application layer DDoS attacks are skyrocketing – here's whyNews The industry is seen as a prime target thanks to a reliance on online services and real-time transactions
