Microsoft has issued an urgent alert warning of a previously unknown vulnerability in on-premises versions of its SharePoint software that is currently being exploited in “active attacks” by malicious actors.
SharePoint is widely used across organisations to exchange files and manage internal workflows.
The US Federal Bureau of Investigation (FBI) confirmed it is aware of ongoing cyberattacks targeting SharePoint, but has not provided any further details.
In its alert, published on Sunday, Microsoft advised customers to apply available security updates immediately. The company noted that the zero-day vulnerability does not impact SharePoint Online for Microsoft 365 customers.
The US Cybersecurity and Infrastructure Security Agency (CISA) echoed Microsoft’s concerns in a separate statement, warning that the exploitation “poses a risk to organisations.”
CISA explained that the vulnerability allows unauthenticated attackers to gain full access to SharePoint content, including file systems and internal configurations, and execute code remotely over the network.
International partners, including New Zealand’s National Cyber Security Centre (NCSC-NZ) and Australia’s Australian Cyber Security Centre (ACSC), have also stated they are assessing the potential impact on government systems and critical infrastructure.
In the meantime, companies using on-premises SharePoint servers are being urged to conduct forensic reviews of access logs going back several weeks—particularly if remote administrative tools were enabled.
Cybersecurity firm Eye also recommended that organisations shut down affected SharePoint servers entirely. “Blocking via firewall is not enough, as persistence may already exist,” the company warned.
Eye further advised organisations to renew all credentials and system secrets that may have been exposed and to engage an incident response team as soon as possible.
