Microsoft Knew of SharePoint Security Flaw but Failed to Effectively Patch It, Timeline Shows

A security patch Microsoft released this month failed to fully fix a critical flaw in the US tech giant’s SharePoint server software, opening the door to a sweeping global cyber espionage effort, a timeline reviewed by Reuters shows.

On Tuesday, a Microsoft spokesperson confirmed that its initial solution to the flaw, identified at a hacker competition in May, did not work, but added that it released further patches that resolved the issue.

It remains unclear who is behind the spy effort, which targeted about 100 organisations over the weekend, and is expected to spread as other hackers join the fray.

In a blog post Microsoft said two allegedly Chinese hacking groups, dubbed “Linen Typhoon” and “Violet Typhoon,” were exploiting the weaknesses, along with a third, also based in China.

Microsoft and Alphabet’s Google have said China-linked hackers were probably behind the first wave of hacks.

Chinese government-linked operatives are regularly implicated in cyberattacks, but Beijing routinely denies such hacking operations.

In an emailed statement, its embassy in Washington said China opposed all forms of cyberattacks, and “smearing others without solid evidence.”

The vulnerability opening the way for the attack was first identified in May at a Berlin hacking competition organised by cybersecurity firm Trend Micro that offered cash bounties for finding computer bugs in popular software.

It offered a $100,000 prize for so-called “zero-day” exploits that leverage previously undisclosed digital weaknesses that could be used against SharePoint, Microsoft’s flagship document management and collaboration platform.

The US National Nuclear Security Administration, charged with maintaining and designing the nation’s cache of nuclear weapons, was among the agencies breached, Bloomberg News said on Tuesday, citing a person with knowledge of the matter.

No sensitive or classified information is known to have been compromised, it added.

The US Energy Department, the US Cybersecurity and Infrastructure Security Agency, and Microsoft did not immediately respond to Reuters’ requests for comment on the report.

A researcher for the cybersecurity arm of Viettel, a telecoms firm run by Vietnam’s military, identified a SharePoint bug at the May event, dubbed it “ToolShell” and demonstrated a way to exploit it.

The discovery won the researcher an award of $100,000, an X posting by Trend Micro’s “Zero Day Initiative” showed.

Participating vendors were responsible for patching and disclosing security flaws in “an effective and timely manner,” Trend Micro said in a statement.

“Patches will occasionally fail,” it added. “This has happened with SharePoint in the past.”

In a July 8 security update Microsoft said it had identified the bug, listed it as a critical vulnerability, and released patches to fix it.

About 10 days later, however, cybersecurity firms started to notice an influx of malicious online activity targeting the same software the bug sought to exploit: SharePoint servers.

“Threat actors subsequently developed exploits that appear to bypass these patches,” British cybersecurity firm Sophos said in a blog post on Monday.

The pool of potential ToolShell targets remains vast.

Hackers could theoretically have already compromised more than 8,000 servers online, data from search engine Shodan, which helps identify internet-linked equipment, shows.

Such servers were in networks ranging from auditors, banks, healthcare companies and major industrial firms to U.S. state-level and international government bodies.

The Shadowserver Foundation, which scans the internet for potential digital vulnerabilities, put the number at a little more than 9,000, cautioning that the figure is a minimum.

It said most of those affected were in the United States and Germany.

Germany’s federal office for information security, BSI, said on Tuesday it had found no compromised SharePoint servers in government networks, despite some being vulnerable to the ToolShell attack.

© Thomson Reuters 2025