Microsoft released emergency security updates over the weekend to address a critical zero-day vulnerability in its SharePoint server software, after confirming active global cyberattacks targeting businesses and at least some U.S. federal agencies.
The company first alerted customers on Saturday that the vulnerability was being exploited in real-time. On Sunday, Microsoft updated its guidance to include fixes for SharePoint Server 2019 and the SharePoint Server Subscription Edition. A patch for the older SharePoint Server 2016 version is still under development. The flaw does not affect Microsoft 365's cloud-based SharePoint Online.
"We've been coordinating closely with CISA, DOD Cyber Defense Command and key cybersecurity partners globally throughout our response," a Microsoft spokesperson said. The company urged all customers to immediately apply available security updates.
The cyberattack campaign reportedly began on July 18 and 19, with Microsoft's engineers identifying waves of intrusions into at least dozens of systems globally. The company stated that attackers were using the flaw to conduct spoofing attacks, allowing them to pose as trusted users or systems and potentially gain unauthorized access to connected Microsoft services such as OneDrive and Teams.
According to Microsoft's advisory, the vulnerability "allows an authorized attacker to perform spoofing over a network," enabling them to impersonate legitimate users or systems in order to extract data, credentials, or compromise additional services.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) echoed Microsoft's warning, urging immediate mitigation. "Organizations should disconnect affected servers from the internet until they can be patched," the agency advised.
While the full scope of the compromise remains under investigation, the FBI confirmed on Sunday that it is "aware of the attacks and is working closely with its federal and private-sector partners," though it did not release further details.
The Washington Post, which first reported the breach, said the attacks targeted both domestic and international entities and are believed to have compromised tens of thousands of servers. Though the identity of the attackers has not been confirmed, cybersecurity analysts emphasized that the threat was severe given the widespread reliance on SharePoint for internal document sharing across corporate and government environments.
