financetom
Technology
financetom
/
Technology
/
Microsoft knew of SharePoint security flaw but failed to effectively patch it, timeline shows
News World Market Environment Technology Personal Finance Politics Retail Business Economy Cryptocurrency Forex Stocks Market Commodities
Microsoft knew of SharePoint security flaw but failed to effectively patch it, timeline shows
Jul 22, 2025 9:33 AM

*

Ongoing attacks compromised around 100 organisations over

weekend

*

SharePoint vulnerability identified during hacker

competition

*

Microsoft ( MSFT ) subsequently released patch that did not fix

flaw

(Adds Microsoft comments in paragraphs 2, 3; Trend Micro ( TMICF )

comment in paragraphs 9-10)

By James Pearson

LONDON, July 22 (Reuters) - A security patch released by

Microsoft ( MSFT ) earlier this month failed to fully fix a

critical flaw in the U.S. tech company's SharePoint server

software that had been identified at a hacking competition in

May, opening the door to a sweeping global cyber espionage

operation, according to a timeline of events reviewed by

Reuters.

A Microsoft ( MSFT ) spokesperson confirmed on Tuesday that its

initial solution did not work. The spokesperson added that

Microsoft ( MSFT ) had released further patches that fixed the issue.

It remains unclear who is behind the ongoing operation, which

targeted around 100 organisations over the weekend and is

expected to escalate as other hackers join the fray. Microsoft ( MSFT )

said in a blog post that two allegedly Chinese hacking groups,

dubbed "Linen Typhoon" and "Violet Typhoon," were exploiting the

vulnerabilities, along with another China-based hacking group.

Microsoft ( MSFT ) and Alphabet's Google have said that

China-linked hackers were likely behind the first wave of hacks.

Chinese government-linked operatives are regularly implicated in

cyberattacks, but Beijing routinely denies carrying out hacking

operations. In an emailed statement, the Chinese embassy in

Washington said China opposes all forms of cyberattacks, and

"smearing others without solid evidence."

The vulnerability that facilitated the attack was first

identified in May at a hacking competition in Berlin organised

by cybersecurity firm Trend Micro ( TMICF ), which offered cash

bounties for the discovery of computer bugs in popular software.

It offered a $100,000 prize for "zero-day" exploits - which

are called that because they leverage previously undisclosed

digital weaknesses that could be used against SharePoint,

Microsoft's ( MSFT ) flagship document management and collaboration

platform.

A researcher working for the cybersecurity arm of Viettel, a

telecommunications firm operated by Vietnam's military,

identified a SharePoint bug at the event, dubbed it "ToolShell"

and demonstrated a method of exploiting it.

The researcher was awarded $100,000 for the discovery, according

to a post on X by Trend Micro's ( TMICF ) "Zero Day Initiative."

In a statement, Trend Micro ( TMICF ) said it was the responsibility

of vendors participating in its competition to patch and

disclose security flaws in "an effective and timely manner."

"Patches will occasionally fail. This has happened with

SharePoint in the past," the statement said.

Microsoft ( MSFT ) said in a July 8 security update that it had

identified the bug, listed it as a critical vulnerability, and

released patches to fix it.

About 10 days later, however, cybersecurity firms started to

notice an influx of malicious online activity targeting the same

software the bug sought to exploit: SharePoint servers.

"Threat actors subsequently developed exploits that appear to

bypass these patches," British cybersecurity firm Sophos said in

a blog post on Monday.

The pool of potential ToolShell targets remains vast.

According to data from Shodan, a search engine that helps

identify internet-linked equipment, over 8,000 servers online

could theoretically have already been compromised by hackers.

Those servers include major industrial firms, banks,

auditors, healthcare companies, and several U.S. state-level and

international government entities.

The Shadowserver Foundation, which scans the internet for

potential digital vulnerabilities, put the number at a little

more than 9,000, while cautioning that the figure was a

minimum.

It said most of those affected were in the United States and

Germany, and the victims included government organisations.

Germany's federal office for information security, BSI, said on

Tuesday it had found SharePoint servers within government

networks that were vulnerable to the ToolShell attack but none

had been compromised.

Comments
Welcome to financetom comments! Please keep conversations courteous and on-topic. To fosterproductive and respectful conversations, you may see comments from our Community Managers.
Sign up to post
Sort by
Show More Comments
Related Articles >
Wolfspeed prepares to file for bankruptcy within weeks, WSJ reports
Wolfspeed prepares to file for bankruptcy within weeks, WSJ reports
May 26, 2025
May 20 (Reuters) - Semiconductor supplier Wolfspeed Inc ( WOLF ) is preparing to file for bankruptcy within weeks, as it struggles to address its debt pile, the Wall Street Journal reported on Tuesday, citing sources familiar with the matter. ...
Massachusetts college student to plead guilty to PowerSchool data breach
Massachusetts college student to plead guilty to PowerSchool data breach
May 26, 2025
BOSTON (Reuters) -A Massachusetts college student has agreed to plead guilty to hacking cloud-based education software provider PowerSchool and stealing data pertaining to millions of students and teachers that hackers used to extort the company and school districts into paying ransoms. Matthew Lane, 19, entered into a plea deal on Tuesday to resolve charges filed in federal court in Worcester,...
Massachusetts hacker to plead guilty to PowerSchool data breach
Massachusetts hacker to plead guilty to PowerSchool data breach
May 26, 2025
BOSTON (Reuters) - A Massachusetts man has agreed to plead guilty to hacking cloud-based education software provider PowerSchool and stealing data pertaining to millions of students and teachers that hackers used to extort the company and school districts into paying ransoms. Matthew Lane, 19, entered into a plea deal on Tuesday to resolve charges filed in federal court in Worcester,...
South Korea vows support for biopharmaceutical, auto sectors over US tariffs
South Korea vows support for biopharmaceutical, auto sectors over US tariffs
May 26, 2025
SEOUL (Reuters) -South Korea's government pledged on Wednesday more support measures for key export industries, including the biopharmaceutical and auto sectors, which are expected to be hit by U.S. President Donald Trump's sweeping tariffs. The government will prepare new measures to support its biopharmaceutical companies, as soon as details of Trump's tariffs on the sector become available, it said in...
Copyright 2023-2026 - www.financetom.com All Rights Reserved