Microsoft’s Incomplete Patch Leaves SharePoint Vulnerability Open to Global Espionage Attacks

A critical vulnerability in Microsoft’s SharePoint server software has exposed thousands of organizations to a wave of cyberattacks, after a patch issued by the company failed to fully resolve the flaw. Originally discovered in May during a hacker competition in Berlin, the bug—later dubbed “ToolShell”—remained exploitable even after Microsoft’s official fix was released on July 8. The flawed patch has now triggered a wide-reaching cyber espionage campaign, affecting nearly 100 organizations globally over the past weekend.

The identity of the attackers remains uncertain, but Google has linked at least part of the activity to a threat actor with ties to China. The Chinese Embassy in Washington has not responded to requests for comment, and while China routinely denies involvement in cyberattacks, Beijing’s name is frequently cited in such incidents. Microsoft has yet to comment on the efficacy of the patch or provide further updates on the situation.

The ToolShell exploit was initially discovered by a researcher from Viettel, a Vietnamese military-owned telecoms company, at Trend Micro’s Zero Day Initiative event. The researcher was awarded $100,000 for demonstrating how the vulnerability could be used against SharePoint. Despite Microsoft classifying the bug as a critical threat and attempting to patch it, cybersecurity firms have since reported ongoing exploitation of the same flaw.

Sophos, a British cybersecurity firm, confirmed that hackers developed methods to bypass Microsoft’s patches shortly after their release. These exploits are now being actively used in the wild, raising concerns about the widespread exposure of critical infrastructure. The attackers have reportedly targeted a diverse group of victims, including industrial firms, banks, healthcare providers, and government entities in the U.S. and abroad.

Internet scans by Shadowserver and Shodan estimate that between 8,000 and 9,000 SharePoint servers remain vulnerable, with the actual number possibly much higher. This large attack surface heightens the urgency for Microsoft to issue a functional patch and for affected organizations to take immediate defensive actions. As threat actors continue to exploit the ToolShell vulnerability, the incident underscores ongoing challenges in enterprise software security and the risks of incomplete remediation efforts.

Source: Reuters