Microsoft’s Security Patch Misfire Exposes Its Server Flaw to Global Cyber Espionage Campaign Linked to China

A botched security patch by Microsoft has left its widely-used SharePoint Server exposed to a critical vulnerability—fueling a wave of cyber espionage attempts that have already affected nearly 100 organisations globally, including high-value US government systems.

The flaw was first discovered in May during a Berlin-based hacking competition organised by Trend Micro, where a Vietnamese researcher representing Viettel’s cybersecurity arm earned a $100,000 prize for identifying and demonstrating the exploit—later dubbed “ToolShell.” Despite Microsoft issuing a patch on July 8 and classifying the vulnerability as critical, it failed to fully seal the loophole.

Microsoft has since acknowledged the flaw in its initial fix and released additional patches. But that delay may have been enough for threat actors to weaponise the exploit. According to a Reuters timeline, attacks began ramping up within 10 days of Microsoft’s first update, with cybersecurity firms detecting a surge in malicious activity targeting SharePoint servers.

Among the affected was the US National Nuclear Security Administration, Bloomberg reported, though there is no evidence yet of compromised classified information. Other targets span a broad range—from auditors and banks to healthcare firms and government bodies, including those in the US and Germany. The Shadowserver Foundation, which tracks exposed internet infrastructure, estimates over 9,000 SharePoint servers globally could still be vulnerable.

Sophos and other cybersecurity firms believe attackers have now developed exploits capable of bypassing Microsoft’s initial patch. Microsoft has attributed the intrusions to China-based groups, naming “Linen Typhoon,” “Violet Typhoon,” and a third unnamed actor as those leveraging the ToolShell vulnerability. Both Microsoft and Google have said the early wave of attacks likely originated from state-backed Chinese hackers. As expected, China’s Washington embassy denied the allegations, stating that “smearing others without solid evidence” is unacceptable.

This episode underscores the fragility of enterprise software security in the face of slow or ineffective patch cycles. Trend Micro, which runs the Zero Day Initiative responsible for uncovering ToolShell, said that while vendors are expected to patch flaws in a “timely and effective manner,” patch failures like this have occurred before—especially in complex platforms like SharePoint.

For India and other emerging digital economies betting big on cloud and enterprise software, the breach is a reminder that vulnerabilities in foundational tools like SharePoint can have wide ripple effects. More broadly, the incident also raises fresh questions about the speed and transparency of disclosures by tech giants—especially when national security infrastructure is involved.

With over 8,000–9,000 servers still potentially at risk, and exploitation likely to grow as more attackers pile on, the clock is ticking for organisations that have yet to update or secure their deployments.

Read more: This ₹42.5 Lakh iPhone Has James Bond’s Omega Seamaster Watch Built In