SharePoint Zero-Day Prompts Global Emergency Patching

A critical zero-day vulnerability (CVE-2025-53770, also known as 'ToolShell') in Microsoft’s on-premises SharePoint servers has triggered active cyberattacks against tens of thousands of organizations globally, including US federal and state agencies, universities, and businesses. The flaw enables unauthenticated attackers to access SharePoint content, steal cryptographic keys, and move laterally within networks, with risk remaining even after initial patching. SharePoint Online is not affected, while Microsoft has released urgent patches for Subscription Edition and 2019, with a fix for 2016 pending. The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to implement fixes by July 21, and the FBI is working with partners to mitigate the threat. Security experts warn the vulnerability is highly attractive to ransomware groups, and organizations unable to patch immediately are advised to disconnect vulnerable servers from the internet. The attack has heightened scrutiny of Microsoft’s security culture following prior high-profile breaches.