Microsoft Issues Urgent Security Patches After SharePoint Attacks

In late July, Microsoft issued an urgent alert after detecting active cyber attacks targeting self-hosted SharePoint servers – on-premises software widely used by businesses and public agencies to store and share internal documents. SharePoint Online, part of Microsoft 365’s cloud offering, was not affected.

The attacks exploited a zero-day vulnerability, meaning the flaw was previously unknown and had not been patched. By targeting this weakness, attackers were able to gain access to unprotected servers and potentially install backdoors for long-term access.

A Microsoft spokesperson states: “We’ve been coordinating closely with CISA, DOD Cyber Defense Command and key cybersecurity partners globally throughout our response.”

Microsoft has since shared they have issued security updates and urged customers to install them immediately.

Incident Impacts 100+ Organisations Across Multiple Countries

The FBI confirmed awareness of the breach, noting it was working closely with federal and private-sector partners as investigations unfolded.

In the days following Microsoft’s alert, security researchers uncovered signs that the vulnerability had been actively exploited to compromise nearly 100 organisations across the U.S., Germany and other regions.

While the full list of affected entities remains undisclosed, researchers confirmed several government-related organisations were among the victims.

At this stage, the origin of the attack remains unclear. However, initial analysis suggests the campaign may have been orchestrated by a single group or actor with a focus on government-related targets.

Thousands of Servers Potentially at Risk

The full extent of the breach is still being assessed, but security experts warn that the number of at-risk organisations may be significantly higher than the confirmed incidents so far.

Data research suggests that more than 8,000 SharePoint servers worldwide could be exposed to similar compromise.

These servers span a wide range of sectors, including major industrial firms, financial institutions, healthcare providers, auditors and government entities.

Organisations have been advised to take an “assumed breach” approach, and recognise that applying the patch alone may not be enough to ensure systems are secure. Additional recommended steps include reviewing systems for signs of compromise, as attackers may have already established persistence prior to the patch being applied.

Steps Organisations Should Take Now

Microsoft has released emergency security updates for affected versions of SharePoint, including SharePoint 2016, 2019 and the Subscription Edition. These patches are designed to close the vulnerability – but installing them is only the first step.

If your organisation uses self-hosted SharePoint servers (rather than SharePoint Online), it’s essential to ensure updates have been applied promptly, and assess whether any further investigation or remediation is needed.

For technical instructions and patch details, Microsoft has published an official advisory to support IT teams and SharePoint administrators.

Need support implementing patching or security best practices? As Microsoft partners and cyber security experts, our team can help you take the next step.