The campaign began around July 18 and is targeting on-premises SharePoint installations. Victims include government agencies, banks, and multinational corporations across the U.S., Europe, and Asia. Microsoft confirmed the attacks over the weekend and says it’s working on an emergency update.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalogue on Sunday. Federal agencies have been ordered to apply mitigations by Monday. Dutch cybersecurity firm Eye Security, which first identified the exploit, says the threat actors are still launching mass attacks.

Dubbed “ToolShell” by researchers, the bug is linked to Microsoft’s earlier CVE-2025-49706, a spoofing issue patched in July. ToolShell exploits deserialization of untrusted data in SharePoint, allowing attackers to install web shells, steal cryptographic keys, and forge tokens for persistent access. Microsoft advises enabling Antimalware Scan Interface (AMSI) and Defender Antivirus, or disconnecting affected servers from the internet. SharePoint Online is not impacted.