Microsoft knew of SharePoint security flaw but failed to effectively patch it, timeline shows
Reuters
Published Jul 22, 2025 10:19AM ET
Updated Jul 22, 2025 10:21PM ET
By James Pearson
LONDON (Reuters) -A security patch Microsoft (NASDAQ:MSFT) released this month failed to fully fix a critical flaw in the U.S. tech giant's SharePoint server software, opening the door to a sweeping global cyber espionage effort, a timeline reviewed by Reuters shows.
On Tuesday, a Microsoft spokesperson confirmed that its initial solution to the flaw, identified at a hacker competition in May, did not work, but added that it released further patches that resolved the issue.
It remains unclear who is behind the spy effort, which targeted about 100 organisations over the weekend, and is expected to spread as other hackers join the fray.
In a blog post Microsoft said two allegedly Chinese hacking groups, dubbed "Linen Typhoon" and "Violet Typhoon," were exploiting the weaknesses, along with a third, also based in China.
Microsoft and Alphabet (NASDAQ:GOOGL)'s Google have said China-linked hackers were probably behind the first wave of hacks.
Chinese government-linked operatives are regularly implicated in cyberattacks, but Beijing routinely denies such hacking operations.
In an emailed statement, its embassy in Washington said China opposed all forms of cyberattacks, and "smearing others without solid evidence."
The vulnerability opening the way for the attack was first identified in May at a Berlin hacking competition organised by cybersecurity firm Trend Micro (OTC:TMICY) that offered cash bounties for finding computer bugs in popular software.
It offered a $100,000 prize for so-called "zero-day" exploits that leverage previously undisclosed digital weaknesses that could be used against SharePoint, Microsoft's flagship document management and collaboration platform.
The U.S. National Nuclear Security Administration, charged with maintaining and designing the nation's cache of nuclear weapons, was among the agencies breached, Bloomberg News said on Tuesday, citing a person with knowledge of the matter.
No sensitive or classified information is known to have been compromised, it added.
The U.S. Energy Department, the U.S. Cybersecurity and Infrastructure Security Agency, and Microsoft did not immediately respond to Reuters' requests for comment on the report.
A researcher for the cybersecurity arm of Viettel, a telecoms firm run by Vietnam's military, identified a SharePoint bug at the May event, dubbed it "ToolShell" and demonstrated a way to exploit it.
The discovery won the researcher an award of $100,000, an X posting by Trend Micro's "Zero Day Initiative" showed.
Participating vendors were responsible for patching and disclosing security flaws in "an effective and timely manner," Trend Micro said in a statement.
"Patches will occasionally fail," it added. "This has happened with SharePoint in the past."
Get The News You Want
In a July 8 security update Microsoft said it had identified the bug, listed it as a critical vulnerability, and released patches to fix it.
About 10 days later, however, cybersecurity firms started to notice an influx of malicious online activity targeting the same software the bug sought to exploit: SharePoint servers.
"Threat actors subsequently developed exploits that appear to bypass these patches," British cybersecurity firm Sophos said in a blog post on Monday.
The pool of potential ToolShell targets remains vast.
Hackers could theoretically have already compromised more than 8,000 servers online, data from search engine Shodan, which helps identify internet-linked equipment, shows.
Such servers were in networks ranging from auditors, banks, healthcare companies and major industrial firms to U.S. state-level and international government bodies.
The Shadowserver Foundation, which scans the internet for potential digital vulnerabilities, put the number at a little more than 9,000, cautioning that the figure is a minimum.
It said most of those affected were in the United States and Germany.
Germany's federal office for information security, BSI, said on Tuesday it had found no compromised SharePoint servers in government networks, despite some being vulnerable to the ToolShell attack.
Written By: Reuters
Trading in financial instruments and/or cryptocurrencies involves high risks including the risk of losing some, or all, of your investment amount, and may not be suitable for all investors. Prices of cryptocurrencies are extremely volatile and may be affected by external factors such as financial, regulatory or political events. Trading on margin increases the financial risks.
Before deciding to trade in financial instrument or cryptocurrencies you should be fully informed of the risks and costs associated with trading the financial markets, carefully consider your investment objectives, level of experience, and risk appetite, and seek professional advice where needed.
Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. The data and prices on the website are not necessarily provided by any market or exchange, but may be provided by market makers, and so prices may not be accurate and may differ from the actual price at any given market, meaning prices are indicative and not appropriate for trading purposes. Fusion Media and any provider of the data contained in this website will not accept liability for any loss or damage as a result of your trading, or your reliance on the information contained within this website.
It is prohibited to use, store, reproduce, display, modify, transmit or distribute the data contained in this website without the explicit prior written permission of Fusion Media and/or the data provider. All intellectual property rights are reserved by the providers and/or the exchange providing the data contained in this website.
Fusion Media may be compensated by the advertisers that appear on the website, based on your interaction with the advertisements or advertisers.