Continuing threat persists after Microsoft security violation
In a concerning development, German Small and Medium Enterprises (SMEs) are under attack in a widespread zero-day exploitation campaign targeting on-premises Microsoft SharePoint servers.
The attack, dubbed "ToolShell," has been active since mid-July 2025, compromising SharePoint servers worldwide, including numerous German SMEs and government-related entities. The hackers exploit chained vulnerabilities, causing authentication bypass and full remote code execution, enabling them to hijack SharePoint servers without user interaction.
This has resulted in widespread compromises, credential theft, lateral movement across corporate networks, and data exfiltration. Despite patches for some SharePoint versions, SharePoint Server 2016 remains unpatched, leaving many installations vulnerable.
Cybersecurity researchers estimate around 10,000 exposed SharePoint servers remain online and vulnerable globally, including in Europe (Germany), the US, and Asia. The number of unpatched or inadequately secured SharePoint on-premises servers in German SMEs likely mirrors this trend, reflecting challenges in rapid patch deployment and exposure management.
The vulnerability, rated 9.8 on the internationally recognized CVSS scale, almost the maximum value of 10, allows attackers to steal passwords or copy digital keys, allowing them to re-enter systems even after the original security vulnerability has been closed. This makes the threat persistent and ongoing.
European SMEs are particularly at risk, with Germany ranking third worldwide in confirmed cases of this vulnerability, according to an analysis by the Dutch cybersecurity service provider Eye Security. 42 infected servers from companies based in or operating in Germany have been confirmed.
The U.S. agency CISA has called on companies to act quickly, either by installing the patch or disconnecting the affected servers from the internet. Microsoft suspects that the first wave of attacks was started by groups from China, including Linen Typhoon, Violet Typhoon, and Storm-2603.
Criminal groups are now also active, using the compromised access to prepare targeted ransomware attacks. Public authorities and universities in Germany are among the affected parties.
The security vulnerability in Microsoft's SharePoint platform, widely used for collaborative document work, has allowed attackers access to sensitive systems for weeks. Companies operating their own servers must install updates promptly or take alternative protective measures to prevent further attacks.
Eye Security recommends taking compromised systems offline or isolating them to prevent further damage. U.S. agencies such as the FBI and the Cyber Command of the Department of Defense are involved in investigations.
Despite all the warnings, the danger is not over. Attackers have used "spoofing" techniques to hide their identity, making them appear as authorized users. Companies must remain vigilant and proactive in securing their SharePoint servers.
- The widespread cyberattack on German SMEs, known as "ToolShell," exploiting vulnerabilities in on-premises Microsoft SharePoint servers, has also raised concerns in the realm of energy, as compromised servers could potentially be used to infiltrate critical infrastructure systems, posing a risk to the general-news sector.
- The persistent nature of the "ToolShell" attack, with attackers able to re-enter systems even after the original security vulnerability has been closed, highlights the importance of technology and cybersecurity in the crime-and-justice sphere, as law enforcement agencies and judicial systems may also be affected, potentially leading to data breaches and subsequent legal consequences.
