The UK's National Cyber Security Centre (NCSC) has spotted a "limited number" of British victims of the SharePoint zero day, known as "ToolShell," as victims of the vulnerability start to stack up globally,
Over the weekend, Microsoft warned about the threat of active attacks using a vulnerability in on-premise SharePoint servers that would allow hackers to execute code on a network.
Microsoft has advised admins to rollout updates immediately, though there isn't yet a fix for SharePoint 2016. SharePoint Online in Microsoft 365 isn't impacted by the zero day flaw, according to the tech giant.
Eye Security, which first spotted the flaw, said an early internet scan had spotted 100 organizations compromised using the flaw, largely in the US and Germany, though that was before the zero day was widely reported so the impact is expected to be much wider.
"Who knows what other adversaries have done since to place other backdoors," Vaisha Bernard, chief hacker at Eye Security, told Reuters.
Daniel Card of PwnDefend added: "The SharePoint incident appears to have created a broad level of compromise across a range of servers globally."
It's as yet unclear who is behind the attack, but Charles Carmakal, CTO at Google-owned Mandiant Consulting, reportedly said multiple groups of hackers are now using the vulnerability.
“At least one of the actors responsible for this early exploitation" is linked to China, he noted.
SharePoint attacks impact UK firms
The NCSC said that attacks making use of the SharePoint flaw had been detected in the UK.
"Microsoft and the NCSC are aware that an exploit for this vulnerability exists in the wild and have observed active attacks targeting on-premises SharePoint Server customers, including a limited number in the UK," the security agency said in an advisory.
The cybersecurity agency said any UK companies that are compromised by the flaw should report it to the agency.
US agencies hit
Beyond the UK, reports reveal that the SharePoint zero day has been used to compromise servers at two federal government agencies in the US, according to the Washington Post.
Microsoft has said it is working closely with US agencies including the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense Cyber Defence Command, while the FBI has said it is investigating alongside authorities in Australia, Canada, and beyond.
CISA's acting executive assistant director Chris Butera said in a statement that the agency was alerted to the zero day by a trusted partner and reached out to Microsoft.
"'Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations," Butera said.
"CISA encourages all organisations with on-premise Microsoft SharePoint servers to take immediate recommended action."
Targeted attack that gets past patches
Security company Rapid7 said it was observing active exploitation in its customers' environments and warned that the attack appeared targeted.
"This vulnerability is being used in widespread, aggressive campaigns to achieve RCE [remote code execution], establish persistent access, and extract cryptographic keys that allow attackers to forge valid authentication tokens," the company warned in a blog post.
"This campaign is not opportunistic — it is deliberate, capable, and designed for persistence even after patching."
Indeed, the firm noted that Microsoft said the flaw is related to one patched earlier this month, adding that the new vulnerability may be a "patch bypass".
"Microsoft has indicated that the patches for the new vulnerability, CVE-2025-53770, include more “robust protections” than the July update for the previous vulnerability CVE-2025-49704," Rapid7 said in its post.
The NCSC said two flaws are being used in the attack, pairing the SharePoint server zero day with a second used to sneak into systems.
"This vulnerability allows an attacker to remotely execute arbitrary code via the deserialization of untrusted data," the agency said.
"A separate vulnerability, CVE-2025-53771, allows this attack to be performed while bypassing authentication."
Any unpatchable systems should be disconnected from the internet in the meantime, said one security expert.
"We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response," Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, told AP News.
"An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- MCP servers used by developers and 'vibe coders' are riddled with vulnerabilities
- Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?
- Shifting left might improve software security, but developers are becoming overwhelmed
-
Hounslow Council partners with Amazon Web Services (AWS) to build resilience and transition away from legacy techSpomsored One of the most diverse and fastest-growing boroughs in London has completed a massive cloud migration project. Supported by AWS, it was able to work through any challenges
-
Salesforce targets better data, simpler licensing to spur Agentforce adoptionNews The combination of Agentforce 360, Data 360, and Informatica is more context for enterprise AI than ever before
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
Microsoft opens up Entra Agent ID preview with new AI featuresNews Microsoft Entra Agent ID aims to help manage influx of AI agents using existing tools
