Skip to main content

Microsoft Issues Emergency Patch for SharePoint Servers

Category: Alerts

Microsoft Issues Emergency Patch for SharePoint Servers Used in Offices 
In September (2025), Microsoft discovered two serious security flaws in on-premises versions of SharePoint servers. These vulnerabilities could allow hackers to break into systems, run unauthorized code, take control of servers, and steal internal authentication keys. The attack method, known as “ToolShell,” is already being used in real-world hacks. Microsoft has released emergency (out-of-cycle) patches for supported versions of SharePoint Server to fix the problem (Subscription Edition, 2019, and 2016). SharePoint that is part of Microsoft 365 (cloud/online) is not affected by these flaws.

Why this Matters to Medical Offices
Unpatched systems can put your patient data and office operations at serious risk. Once inside SharePoint, hackers may gain access to other connected systems, allowing them to view, alter, or download sensitive health records, employee data, and billing information. They could also use the vulnerability to install ransomware that locks your files until a payment is made. Another risk is the potential for hackers to create hidden “back doors” that allow ongoing access even after the initial breach. Because the flaw allows hackers to run their own code undetected, attacks may not be discovered right away. A breach involving protected health information (PHI) can trigger HIPAA reporting requirements, financial penalties, reputational harm, and loss of patient trust.

Key Actions to Take
  • Check whether your office uses its own SharePoint server (installed locally, not the cloud version).
  • Work with your internal or external IT expert to confirm that all SharePoint servers are fully patched with Microsoft’s latest emergency updates and that systems are clean (A link to the patches is provided in the first item in the Sources at the end of this article.)
  • After patching, rotate “MachineKey” or cryptographic keys used by SharePoint. If attackers had access before the patches, they might have copied these keys and could still use them to issue valid requests.
  • Enable security features such as the Anti-Malware Scan Interface (AMSI) and ensure antivirus or endpoint protection tools are active and updated.
  • Review server logs for any unusual activity, such as unexpected file changes, new scripts (web shells), or other suspicious behavior.
Bottom Line
It’s critical to make sure your office’s SharePoint server is patched and secured. These vulnerabilities are being actively exploited, and unprotected systems could expose patient data, disrupt operations, and create lasting damage to your practice’s reputation.