A newly discovered zero-day vulnerability in Microsoft SharePoint has allowed hacker groups to create unauthorized websites and access sensitive corporate data through compromised servers. Microsoft confirmed the issue on Saturday, July 19, and quickly released security patches the following day. The company is urging all users to immediately apply the updates to secure their systems.
Who Was Affected?
The attacks specifically targeted on-premise SharePoint Server deployments, while Microsoft clarified that the Microsoft 365 cloud-based SharePoint services remain unaffected.
So far, security updates have been rolled out for:
- SharePoint Subscription Edition
- SharePoint Server 2019
A patch for SharePoint Server 2016 is still in development.
What Happened?
The issue was first flagged by cybersecurity firm Eye Security on Friday, July 18. During a scan of over 8,000 SharePoint environments, their team discovered multiple instances of compromised servers.
The vulnerability enables Remote Code Execution (RCE), meaning attackers can remotely run malicious code on affected servers—granting them the ability to exfiltrate data, alter content, or set up fake websites for further exploitation.
Because the flaw was actively exploited before Microsoft became aware of it, it has been classified as a zero-day vulnerability.
How to Protect Your Organization
Microsoft recommends that SharePoint administrators:
- Immediately install the latest security updates for their version of SharePoint Server
- Enable Microsoft Defender for Endpoint, which can detect and block suspicious activity tied to this specific threat
The company has confirmed that the newly released updates fully mitigate the known exploit path.
