A new zero-day vulnerability in Microsoft SharePoint is being actively exploited, and it is not just your average phishing scheme. This one’s big. Hackers are slipping through the cracks of unpatched on-prem SharePoint servers, and they’re aiming high: governments, healthcare, finance, and more.
What’s ToolShell, and Why Should You Care?
Security researchers at Eye Security and the Shadowserver Foundation flagged this zero-day as a remote code execution vulnerability. The exploit, known in the wild as ToolShell, lets attackers gain full access to your SharePoint environment. That means they can steal encryption keys, drop malicious web shells, and plant persistent backdoors for future attacks like giving someone a spare key to your office and hoping they don’t come back with friends.
According to TechCrunch, attackers have been actively exploiting this since early July, with significant spikes between July 18 to19. Who’s Being Targeted? This isn’t just hitting small orgs with weak firewalls. According to Reuters, more than 100 organizations across government, healthcare, energy, auditing, and finance have already been compromised. One unnamed Western government was reportedly the first to get hit. The Washington Post reported evidence linking this campaign to China-based state hacking infrastructure, though Microsoft hasn’t officially attributed it (yet). And no, your Microsoft 365 cloud-hosted SharePoint isn’t affected. Only on premises deployments are vulnerable. But if that’s you? Time to sound the alarm.
How It Works
ToolShell uses crafted requests to exploit the bug and allows attackers to:
- Execute remote commands
- Install web shells (persistent access tools)
- Extract machine keys
- Maintain stealthy access even after patching
The Hacker News notes that attackers are actively rotating infrastructure and IPs to avoid detection. It’s a dynamic, coordinated campaign, not a one-off stunt.
What Should you do
- Patch It Immediately: Microsoft pushed out a patch for SharePoint Server 2019 and Subscription Edition on July 20. SharePoint 2016 still awaits a fix, which is concerning. Here’s Microsoft’s official security advisory.
- Disconnect from the Internet: If you haven’t patched yet, take your SharePoint server offline immediately to prevent further exposure. AP News reports that this step helped contain early spread.
- Rotate Cryptographic Keys
- Assume keys may be compromised and reissue them to cut off backdoor access.
- Hunt for Web Shells: Check for signs of persistence: web shells, unauthorized users, and strange outbound traffic. A patch doesn’t mean the intruder left quietly.
- Treat It Like a Breach
- BleepingComputer and other experts recommend activating incident response procedures. Don’t wait for symptoms. This is one of those “drop what you’re doing and fix it” situations.
