Topline
A vulnerability in Microsoft’s SharePoint server software was exploited by hackers to carry out “active attacks” globally on various entities, including businesses and U.S. federal agencies, prompting the software giant to issue an emergency patch.
Microsoft deployed an emergency security patch for some users on Sunday night.
In a statement on X, Microsoft said it has released a security update for SharePoint Subscription Edition and SharePoint 2019 users to “mitigate active attacks” targeting servers running the software.
The company noted that the vulnerability only impacts companies using Microsoft’s software to host their own servers, and customers relying on Microsoft’s 365 cloud services have not been affected.
Citing government officials and security researchers, the Washington Post reported that the vulnerability affected U.S. federal and state agencies, universities and various businesses.
In a statement on Sunday night, the Cybersecurity and Infrastructure Security Agency (CISA) said it was “aware of active exploitation of a new…vulnerability enabling unauthorized access to on-premise SharePoint servers.”
The federal agency said the vulnerability allowed malicious actors to “access file systems and internal configurations, and execute code over the network.”
The security patch released by Microsoft only fixed the vulnerability on the latest “SharePoint Subscription Edition and SharePoint 2019.” The company said it is still actively working on a fix for the older SharePoint 2016 version. It is unclear how many government entities and businesses are still using the 2016 version. In its advisory, the company advises affected users to “consider disconnecting your server from the internet until a security update is available.”
A Microsoft spokesperson told Reuters that the company has been “coordinating closely with CISA, DOD Cyber Defense Command and key cybersecurity partners globally throughout our response.”
The hack targeting SharePoint users is referred to as a “zero-day” attack, as the hackers exploited a previously unknown vulnerability. Dutch cybersecurity firm Eye Security was the first to report on the zero-day exploit over the weekend. The company said its team scanned more than 8,000 SharePoint servers worldwide on Friday and “discovered dozens of systems actively compromised.” The company stated that these attacks occurred in two waves on July 18 and 19.