NCSC says ‘limited number’ of UK firms affected by SharePoint attack as global impact spreads
The SharePoint flaw has already had a wide impact according to reports from government security agencies
The UK's National Cyber Security Centre (NCSC) has spotted a "limited number" of British victims of the SharePoint zero day, known as "ToolShell," as victims of the vulnerability start to stack up globally,
Over the weekend, Microsoft warned about the threat of active attacks using a vulnerability in on-premise SharePoint servers that would allow hackers to execute code on a network.
Microsoft has advised admins to rollout updates immediately, though there isn't yet a fix for SharePoint 2016. SharePoint Online in Microsoft 365 isn't impacted by the zero day flaw, according to the tech giant.
Eye Security, which first spotted the flaw, said an early internet scan had spotted 100 organizations compromised using the flaw, largely in the US and Germany, though that was before the zero day was widely reported so the impact is expected to be much wider.
"Who knows what other adversaries have done since to place other backdoors," Vaisha Bernard, chief hacker at Eye Security, told Reuters.
Daniel Card of PwnDefend added: "The SharePoint incident appears to have created a broad level of compromise across a range of servers globally."
It's as yet unclear who is behind the attack, but Charles Carmakal, CTO at Google-owned Mandiant Consulting, reportedly said multiple groups of hackers are now using the vulnerability.
“At least one of the actors responsible for this early exploitation" is linked to China, he noted.
SharePoint attacks impact UK firms
The NCSC said that attacks making use of the SharePoint flaw had been detected in the UK.
"Microsoft and the NCSC are aware that an exploit for this vulnerability exists in the wild and have observed active attacks targeting on-premises SharePoint Server customers, including a limited number in the UK," the security agency said in an advisory.
The cybersecurity agency said any UK companies that are compromised by the flaw should report it to the agency.
US agencies hit
Beyond the UK, reports reveal that the SharePoint zero day has been used to compromise servers at two federal government agencies in the US, according to the Washington Post.
Microsoft has said it is working closely with US agencies including the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense Cyber Defence Command, while the FBI has said it is investigating alongside authorities in Australia, Canada, and beyond.
CISA's acting executive assistant director Chris Butera said in a statement that the agency was alerted to the zero day by a trusted partner and reached out to Microsoft.
"'Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations," Butera said.
"CISA encourages all organisations with on-premise Microsoft SharePoint servers to take immediate recommended action."
Targeted attack that gets past patches
Security company Rapid7 said it was observing active exploitation in its customers' environments and warned that the attack appeared targeted.
"This vulnerability is being used in widespread, aggressive campaigns to achieve RCE [remote code execution], establish persistent access, and extract cryptographic keys that allow attackers to forge valid authentication tokens," the company warned in a blog post.
"This campaign is not opportunistic — it is deliberate, capable, and designed for persistence even after patching."
Indeed, the firm noted that Microsoft said the flaw is related to one patched earlier this month, adding that the new vulnerability may be a "patch bypass".
"Microsoft has indicated that the patches for the new vulnerability, CVE-2025-53770, include more “robust protections” than the July update for the previous vulnerability CVE-2025-49704," Rapid7 said in its post.
The NCSC said two flaws are being used in the attack, pairing the SharePoint server zero day with a second used to sneak into systems.
"This vulnerability allows an attacker to remotely execute arbitrary code via the deserialization of untrusted data," the agency said.
"A separate vulnerability, CVE-2025-53771, allows this attack to be performed while bypassing authentication."
Any unpatchable systems should be disconnected from the internet in the meantime, said one security expert.
"We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response," Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, told AP News.
"An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- MCP servers used by developers and 'vibe coders' are riddled with vulnerabilities
- Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?
- Shifting left might improve software security, but developers are becoming overwhelmed
-
What is Microsoft Maia?Explainer Microsoft's in-house chip is planned to a core aspect of Microsoft Copilot and future Azure AI offerings
-
If Satya Nadella wants us to take AI seriously, let’s forget about mass adoption and start with a return on investment for those already using itOpinion If Satya Nadella wants us to take AI seriously, let's start with ROI for businesses
-
Microsoft warns of rising AitM phishing attacks on energy sectorNews The campaign abused SharePoint file sharing services to deliver phishing payloads and altered inbox rules to maintain persistence
-
90% of companies are woefully unprepared for quantum security threats – analysts say they need to get a move onNews Quantum security threats are coming, but a Bain & Company survey shows systems aren't yet in place to prevent widespread chaos
-
LastPass issues alert as customers targeted in new phishing campaignNews LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign that encourages users to backup vaults.
-
NCSC names and shames pro-Russia hacktivist group amid escalating DDoS attacks on UK public servicesNews Russia-linked hacktivists are increasingly trying to cause chaos for UK organizations
-
An AWS CodeBuild vulnerability could’ve caused supply chain chaos – luckily a fix was applied before disaster struckNews A single misconfiguration could have allowed attackers to inject malicious code to launch a platform-wide compromise
-
Microsoft just took down notorious cyber crime marketplace RedVDS – and found hackers were using ChatGPT and its own Copilot tool to wage attacks
News Microsoft worked closely with law enforcement to take down the notorious RedVDS cyber crime service – and found tools like ChatGPT and its own Copilot were being used by hackers.
-
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radarNews The new DeadLock ransomware family is taking off in the wild, researchers warn
-
Supply chain and AI security in the spotlight for cyber leaders in 2026News Organizations are sharpening their focus on supply chain security and shoring up AI systems
