Microsoft is under mounting scrutiny after a patch it released earlier this month failed to fully address a critical vulnerability in its SharePoint server software—leaving thousands of systems exposed and sparking a wave of cyber espionage activity affecting organizations across the globe.
The flaw, initially discovered in May during a high-stakes hacking competition in Berlin, was exploited over the past weekend in coordinated attacks that reportedly impacted nearly 100 organizations, including government agencies, financial institutions, healthcare providers, and multinational corporations.
According to a timeline reviewed by Reuters, the vulnerability—nicknamed “ToolShell”—was identified by a researcher affiliated with Viettel, a cybersecurity arm of Vietnam’s military-run telecommunications firm. The discovery, which earned a $100,000 reward from Trend Micro’s Zero Day Initiative, targeted Microsoft SharePoint, the company's widely used collaboration and document management platform.
While Microsoft promptly issued a patch on July 8, it has since acknowledged that the fix was ineffective in fully mitigating the threat. A spokesperson confirmed this week that updated patches have since been deployed to close the security gap. Despite this, cybersecurity firms began detecting a surge in malicious activity targeting SharePoint servers just days after the initial patch was released.
British cybersecurity firm Sophos reported that attackers developed exploits that appeared to bypass Microsoft’s original fixes, allowing them to infiltrate systems through the same ToolShell vulnerability. Meanwhile, Microsoft said in a blog post that it had linked the intrusions to China-based hacking groups, including "Linen Typhoon" and "Violet Typhoon," though a third group is also believed to be involved. Both Microsoft and Google have indicated that Chinese state-affiliated actors likely spearheaded the early phases of the operation.
The Chinese government, however, has denied any involvement. In a statement, the Chinese embassy in Washington reiterated that China opposes all forms of cyberattacks and accused Western media of making unfounded accusations without credible evidence.
The extent of the exposure is alarming. Data from Shodan, a search engine that maps internet-connected devices, suggests more than 8,000 SharePoint servers could be vulnerable worldwide. The Shadowserver Foundation, which independently scans for digital threats, places that number slightly higher at over 9,000 servers, cautioning that these figures likely underestimate the true scale of exposure.
Most at-risk systems appear to be concentrated in the United States and Germany, including servers used by state-level U.S. government entities, industrial firms, auditors, and financial institutions. Germany's federal cybersecurity authority, BSI, confirmed it had identified vulnerable SharePoint servers in government networks but reported that none had been compromised as of Tuesday.
The situation underscores the growing difficulty in keeping pace with increasingly sophisticated state-linked cyber actors and the inherent risk of delayed or incomplete patching by major software vendors. In a statement, Trend Micro emphasized that while it facilitates the discovery of flaws, it is the responsibility of vendors like Microsoft to patch vulnerabilities effectively and promptly.
“Patches will occasionally fail,” Trend Micro said, noting that similar issues with SharePoint have occurred in the past. But in the current case, the failure has enabled what some experts warn could be a long-running espionage campaign that is still unfolding, as other hacking groups may now capitalize on the same vulnerability.
As investigations continue and security teams rush to apply the latest patches, the ToolShell case serves as a cautionary tale for enterprise and government IT infrastructure globally—a reminder that the gap between disclosure and resolution can be dangerously exploited.