CISA Warns of New Exploit Targeting Microsoft SharePoint

Hackers Exploit Microsoft SharePoint Servers; CISA Issues Urgent Warning

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning organizations of an active exploitation campaign targeting on-premises Microsoft SharePoint servers. According to CISA’s July 20 report, the attack—known publicly as “ToolShell”—takes advantage of server vulnerabilities to grant attackers full access to internal systems.

“This exploitation activity… provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content,” CISA said in its July 20 report. The agency is currently assessing the full impact of the breach.

Microsoft acknowledged the threat on July 19, confirming that only on-premises servers are affected—SharePoint Online on Microsoft 365 is not at risk. Updates have been released for SharePoint Subscription Edition and SharePoint 2019, while patches for SharePoint 2016 are pending.

Both CISA and Microsoft urge system administrators to install the latest security updates, enable Antimalware Scan Interface (AMSI), and deploy Microsoft Defender for Endpoint. In cases where AMSI cannot be activated, CISA recommends temporarily disconnecting affected systems from the internet.

The exploit, listed under CVE-2025-49706, has been added to CISA’s Known Exploited Vulnerabilities catalog. Organizations are encouraged to review their logging practices, reduce administrative privileges, and follow Microsoft’s advanced mitigation strategies.

With over 200,000 organizations relying on SharePoint globally, the attack underscores growing cybersecurity challenges. CISA further warned of increasing threats to cloud infrastructure, calling for enhanced public-private cooperation to defend digital assets.