South African Planning Agency Compromised in SharePoint Hack Attack
ByAinvest
Wednesday, Jul 30, 2025 10:41 am ET5min read
MSFT--
The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it. The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server [1].
The South African Department of Planning, Monitoring and Evaluation was one of the victims. The department reported that it had implemented countermeasures, including software patches from Microsoft. However, the attacks have affected over 400 government agencies, corporations, and other groups globally. Most victims are in the US, Mauritius, Jordan, South Africa, and the Netherlands [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors
Hackers have targeted the South African Department of Planning, Monitoring and Evaluation, exploiting a vulnerability in Microsoft's SharePoint servers. The department has implemented countermeasures, including software patches from Microsoft. The attacks have affected over 400 government agencies, corporations, and other groups globally, with most victims in the US, Mauritius, Jordan, South Africa, and the Netherlands. Microsoft warned of attacks targeting on-premise SharePoint networks, which is popular in South Africa for document storage and collaboration.
Hackers have targeted the South African Department of Planning, Monitoring and Evaluation, exploiting a vulnerability in Microsoft's SharePoint servers. The department has implemented countermeasures, including software patches from Microsoft. The attacks have affected over 400 government agencies, corporations, and other groups globally, with most victims in the US, Mauritius, Jordan, South Africa, and the Netherlands. Microsoft warned of attacks targeting on-premise SharePoint networks, which is popular in South Africa for document storage and collaboration [1].The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it. The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server [1].
The South African Department of Planning, Monitoring and Evaluation was one of the victims. The department reported that it had implemented countermeasures, including software patches from Microsoft. However, the attacks have affected over 400 government agencies, corporations, and other groups globally. Most victims are in the US, Mauritius, Jordan, South Africa, and the Netherlands [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors who target any Internet-exposed SharePoint server. The vulnerability, known as ToolShell, was discovered in May 2025 during the Pwn2Own Berlin competition. It allows attackers to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft released a patch in June, but the vulnerability was exploited before all organizations could apply it [1].
The attacks have been attributed to opportunistic threat actors
Stay ahead of the market.
Get curated U.S. market news, insights and key dates delivered to your inbox.
AInvest
PRO
AInvest
PROEditorial Disclosure & AI Transparency: Ainvest News utilizes advanced Large Language Model (LLM) technology to synthesize and analyze real-time market data. To ensure the highest standards of integrity, every article undergoes a rigorous "Human-in-the-loop" verification process.
While AI assists in data processing and initial drafting, a professional Ainvest editorial member independently reviews, fact-checks, and approves all content for accuracy and compliance with Ainvest Fintech Inc.’s editorial standards. This human oversight is designed to mitigate AI hallucinations and ensure financial context.
Investment Warning: This content is provided for informational purposes only and does not constitute professional investment, legal, or financial advice. Markets involve inherent risks. Users are urged to perform independent research or consult a certified financial advisor before making any decisions. Ainvest Fintech Inc. disclaims all liability for actions taken based on this information. Found an error?Report an Issue
Comments
No comments yet