The UK's National Cyber Security Centre (NCSC) has spotted a "limited number" of British victims of the SharePoint zero day, known as "ToolShell," as victims of the vulnerability start to stack up globally,
Over the weekend, Microsoft warned about the threat of active attacks using a vulnerability in on-premise SharePoint servers that would allow hackers to execute code on a network.
Microsoft has advised admins to rollout updates immediately, though there isn't yet a fix for SharePoint 2016. SharePoint Online in Microsoft 365 isn't impacted by the zero day flaw, according to the tech giant.
Eye Security, which first spotted the flaw, said an early internet scan had spotted 100 organizations compromised using the flaw, largely in the US and Germany, though that was before the zero day was widely reported so the impact is expected to be much wider.
"Who knows what other adversaries have done since to place other backdoors," Vaisha Bernard, chief hacker at Eye Security, told Reuters.
Daniel Card of PwnDefend added: "The SharePoint incident appears to have created a broad level of compromise across a range of servers globally."
It's as yet unclear who is behind the attack, but Charles Carmakal, CTO at Google-owned Mandiant Consulting, reportedly said multiple groups of hackers are now using the vulnerability.
“At least one of the actors responsible for this early exploitation" is linked to China, he noted.
SharePoint attacks impact UK firms
The NCSC said that attacks making use of the SharePoint flaw had been detected in the UK.
"Microsoft and the NCSC are aware that an exploit for this vulnerability exists in the wild and have observed active attacks targeting on-premises SharePoint Server customers, including a limited number in the UK," the security agency said in an advisory.
The cybersecurity agency said any UK companies that are compromised by the flaw should report it to the agency.
US agencies hit
Beyond the UK, reports reveal that the SharePoint zero day has been used to compromise servers at two federal government agencies in the US, according to the Washington Post.
Microsoft has said it is working closely with US agencies including the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense Cyber Defence Command, while the FBI has said it is investigating alongside authorities in Australia, Canada, and beyond.
CISA's acting executive assistant director Chris Butera said in a statement that the agency was alerted to the zero day by a trusted partner and reached out to Microsoft.
"'Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations," Butera said.
"CISA encourages all organisations with on-premise Microsoft SharePoint servers to take immediate recommended action."
Targeted attack that gets past patches
Security company Rapid7 said it was observing active exploitation in its customers' environments and warned that the attack appeared targeted.
"This vulnerability is being used in widespread, aggressive campaigns to achieve RCE [remote code execution], establish persistent access, and extract cryptographic keys that allow attackers to forge valid authentication tokens," the company warned in a blog post.
"This campaign is not opportunistic — it is deliberate, capable, and designed for persistence even after patching."
Indeed, the firm noted that Microsoft said the flaw is related to one patched earlier this month, adding that the new vulnerability may be a "patch bypass".
"Microsoft has indicated that the patches for the new vulnerability, CVE-2025-53770, include more “robust protections” than the July update for the previous vulnerability CVE-2025-49704," Rapid7 said in its post.
The NCSC said two flaws are being used in the attack, pairing the SharePoint server zero day with a second used to sneak into systems.
"This vulnerability allows an attacker to remotely execute arbitrary code via the deserialization of untrusted data," the agency said.
"A separate vulnerability, CVE-2025-53771, allows this attack to be performed while bypassing authentication."
Any unpatchable systems should be disconnected from the internet in the meantime, said one security expert.
"We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response," Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, told AP News.
"An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- MCP servers used by developers and 'vibe coders' are riddled with vulnerabilities
- Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?
- Shifting left might improve software security, but developers are becoming overwhelmed
-
Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations
-
Global PC shipments surge in Q3 2025, fueled by AI and Windows 10 refresh cyclesNews The scramble ahead of the Windows 10 end of life date prompted a spike in sales
-
Thousands of exposed civil servant passwords are up for grabs online
News While the password security failures are concerning, they pale in comparison to other nations
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Hackers stole source code, bug details in disastrous F5 security incident – here’s everything we know and how to protect yourselfNews CISA has warned the F5 security incident presents a serious threat to federal networks
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Government urges large enterprises to shore up defenses as NCSC warns UK faces four 'nationally significant' cyber attacks every weekNews UK enterprises of all sizes face escalating cybersecurity threats, ministers have warned
-
Third time lucky? The FBI just took down BreachForums, again
News The hacking forum is down for now, but the group behind it, Scattered Lapsus$ Hunters, isn't going to stop extorting victims of the Salesforce breach
-
A malicious MCP server is silently stealing user emailsNews Koi Security says it's discovered the first malicious MCP server in the wild, exposing a risk to the entire ecosystem
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
