Microsoft recently issued an emergency fix for a zero-day exploit actively targeting on-premises SharePoint servers—a widely-used platform for internal collaboration across businesses and government agencies.
What You Need to Know
- The exploit, known as “ToolShell,” is a variant of CVE-2025-49706.
- It gives attackers full access to SharePoint file systems and connected services like Teams and OneDrive.
- SharePoint Online (cloud-based) is not affected—this exploit only impacts on-site deployments.
- The vulnerability is already being exploited globally, with attacks confirmed since July 18.
- Government, healthcare, education, and enterprise organizations are especially at risk.
Why It Matters
This zero-day vulnerability leaves IT teams with zero time to prepare. According to the Cybersecurity & Infrastructure Security Agency (CISA) and multiple threat intelligence firms, systems may already be compromised. Even worse, future patches may be bypassed.
What You Should Do Now
- Immediately apply Microsoft’s guidance for SharePoint Server 2019 and Subscription Edition.
- Disconnect vulnerable servers from the internet.
- Rotate all cryptographic material.
- Engage with a trusted cybersecurity team for incident response.
At Forvis Mazars, our cybersecurity consultants are already working with clients to help gauge and secure their environments. If you’re running on-prem SharePoint and unsure about your exposure, don’t wait.
Reach out to us today to consider your risk and help create a remediation plan. We’re here to help safeguard your systems, your data—and your reputation.