Government agencies and private industry have been under siege over the past four days following the discovery that a critical vulnerability in SharePoint, the widely used document-sharing app made by Microsoft, is under mass exploitation. Since that revelation, the fallout and the ever-increasing scope of the attacks have been hard to keep track of.
What follows are answers to some of the most common questions about the vulnerability and the ongoing exploitation of it, which collectively is being called ToolShell by people tracking the activity.
What’s known so far
Question: What’s SharePoint?
Answer: SharePoint is server software that companies use for storing, managing, sharing, and collaborating on internal documents, typically from inside an organization’s intranet. Microsoft has been selling it since 2001. In 2020, Microsoft said that SharePoint had 200 million users. As of last year, more than 400,000 customer organizations used the software, including roughly 80 percent of Fortune 500 companies, according to IT jobs site Jobera.
Q: So, what’s the vulnerability?
A: The vulnerability, which is formally tracked as CVE-2025-53770, enables unauthenticated remote code execution on servers running SharePoint. The ease of exploitation, the damage it causes, and the ongoing targeting of it in the wild have earned it a severity rating of 9.8 out of a possible 10.
It allows unauthenticated attackers with no system rights to remotely execute malicious code. It was first spotted on Saturday by Eye Security. The security firm reported the vulnerability had been actively exploited in two waves starting a day earlier and had already compromised “dozens of systems” around the world. Eye Security raised the estimate to 400 compromised systems on Wednesday. Bloomberg reported that the US National Nuclear Security Administration's network was among the casualties.