The UK's National Cyber Security Centre (NCSC) has spotted a "limited number" of British victims of the SharePoint zero day, known as "ToolShell," as victims of the vulnerability start to stack up globally,
Over the weekend, Microsoft warned about the threat of active attacks using a vulnerability in on-premise SharePoint servers that would allow hackers to execute code on a network.
Microsoft has advised admins to rollout updates immediately, though there isn't yet a fix for SharePoint 2016. SharePoint Online in Microsoft 365 isn't impacted by the zero day flaw, according to the tech giant.
Eye Security, which first spotted the flaw, said an early internet scan had spotted 100 organizations compromised using the flaw, largely in the US and Germany, though that was before the zero day was widely reported so the impact is expected to be much wider.
"Who knows what other adversaries have done since to place other backdoors," Vaisha Bernard, chief hacker at Eye Security, told Reuters.
Daniel Card of PwnDefend added: "The SharePoint incident appears to have created a broad level of compromise across a range of servers globally."
It's as yet unclear who is behind the attack, but Charles Carmakal, CTO at Google-owned Mandiant Consulting, reportedly said multiple groups of hackers are now using the vulnerability.
“At least one of the actors responsible for this early exploitation" is linked to China, he noted.
SharePoint attacks impact UK firms
The NCSC said that attacks making use of the SharePoint flaw had been detected in the UK.
"Microsoft and the NCSC are aware that an exploit for this vulnerability exists in the wild and have observed active attacks targeting on-premises SharePoint Server customers, including a limited number in the UK," the security agency said in an advisory.
The cybersecurity agency said any UK companies that are compromised by the flaw should report it to the agency.
US agencies hit
Beyond the UK, reports reveal that the SharePoint zero day has been used to compromise servers at two federal government agencies in the US, according to the Washington Post.
Microsoft has said it is working closely with US agencies including the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense Cyber Defence Command, while the FBI has said it is investigating alongside authorities in Australia, Canada, and beyond.
CISA's acting executive assistant director Chris Butera said in a statement that the agency was alerted to the zero day by a trusted partner and reached out to Microsoft.
"'Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations," Butera said.
"CISA encourages all organisations with on-premise Microsoft SharePoint servers to take immediate recommended action."
Targeted attack that gets past patches
Security company Rapid7 said it was observing active exploitation in its customers' environments and warned that the attack appeared targeted.
"This vulnerability is being used in widespread, aggressive campaigns to achieve RCE [remote code execution], establish persistent access, and extract cryptographic keys that allow attackers to forge valid authentication tokens," the company warned in a blog post.
"This campaign is not opportunistic — it is deliberate, capable, and designed for persistence even after patching."
Indeed, the firm noted that Microsoft said the flaw is related to one patched earlier this month, adding that the new vulnerability may be a "patch bypass".
"Microsoft has indicated that the patches for the new vulnerability, CVE-2025-53770, include more “robust protections” than the July update for the previous vulnerability CVE-2025-49704," Rapid7 said in its post.
The NCSC said two flaws are being used in the attack, pairing the SharePoint server zero day with a second used to sneak into systems.
"This vulnerability allows an attacker to remotely execute arbitrary code via the deserialization of untrusted data," the agency said.
"A separate vulnerability, CVE-2025-53771, allows this attack to be performed while bypassing authentication."
Any unpatchable systems should be disconnected from the internet in the meantime, said one security expert.
"We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response," Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, told AP News.
"An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- MCP servers used by developers and 'vibe coders' are riddled with vulnerabilities
- Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?
- Shifting left might improve software security, but developers are becoming overwhelmed
-
Windows 10 extended support costs could top $7 billionNews Enterprises sticking with Windows 10 after the October deadline face huge costs
-
Why employee offboarding poses huge cybersecurity risksNews Enterprises should act swiftly to revoke rights and access, regardless of the manner of an employee’s departure.
-
Security experts call for better 'offboarding' practices amid spate of insider attacks by outgoing staff
News Enterprises should act swiftly to revoke rights and access, regardless of the manner of an employee’s departure.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
The Salesloft Drift victim list keeps growing: Zscaler is the latest to confirm a breach, warning customers to remain wary of follow-up phishing attacksNews The company has warned customers that their data may have been accessed, saying it's implemented extra safeguards in response
-
Anthropic admits hackers have 'weaponized' its tools – and cyber experts warn it's a terrifying glimpse into 'how quickly AI is changing the threat landscape'News Security experts say Anthropic's recent admission that hackers have "weaponized" its AI tools gives us a terrifying glimpse into the future of cyber crime.
-
Google hits back at 'entirely false' reports of major Gmail security breachNews Reports of a massive Gmail hack affecting billions of users have been denied by Google
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
Warning issued to Salesforce customers after hackers stole Salesloft Drift dataNews Customers were targeted through compromised OAuth access tokens from Salesloft Drift integrations
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
