For cybersecurity and technology professionals monitoring the threat landscape, the July and now August alerts regarding a significant Microsoft SharePoint vulnerability chain are a wake-up call about how quickly security flaws can disrupt an organization.
Dubbed ToolShell, this exploit chain specifically affects older, on-premise versions of SharePoint—including Subscription Edition, 2019, and 2016—but not cloud-based versions such as SharePoint Online, part of the Microsoft 365 suite, according to Microsoft.
After the exploit chain began surfacing in early July, Microsoft released patches to address multiple vulnerabilities. These included a fix for CVE-2025-53770, a remote code execution flaw related to CVE-2025-49704 and CVE-2025-53771.
CVE-2025-53771 also serves as a bypass for the earlier fix to the server spoofing vulnerability CVE-2025-49706, complicating the scenario further.
Cybersecurity firm Wiz published a detailed blog explaining how attackers can exploit this chain to compromise vulnerable organizations. Microsoft and others have emphasized that even after applying the patches, teams must reset cryptographic keys to prevent reentry by threat actors.
Although Microsoft moved quickly, threat groups had already begun exploiting these vulnerabilities as zero-day attacks. The company attributed early malicious activity to two China-based nation-state groups—Linen Typhoon and Violet Typhoon—as well as another group known as Storm-2603.
Researchers estimate that about 150 organizations globally were compromised. As of early August, ransomware gangs and other threat actors continue to exploit ToolShell.
"While the scope and impact continue to be assessed, the chain, publicly reported as ‘ToolShell,’ provides unauthenticated access to systems and authenticated access through network spoofing, enabling malicious actors to access SharePoint content, including file systems and internal configurations, and execute code over the network," according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
For cybersecurity and tech professionals, staying on top of patching and threat assessments is essential. However, experts warn that the scale of these attacks shows that more effort is needed.
"Security teams should treat this as a wake-up call to overhaul their data security and management practices—doubling down on zero-trust policies, layering independent backup and threat-detection tools on top of Microsoft’s stack, and keeping employees sharp through regular, customized security training," said Dana Simberkoff, chief risk, privacy and information security officer at AvePoint. "Only continuous monitoring of data assets—in addition to system assets—from the bottom up ensures security. You need a top-down and bottom-up approach."
The ToolShell exploit chain offers four critical lessons for cyber and tech pros seeking to improve organizational security.
Summary
Lesson 1: Understand Cybersecurity Fundamentals
Software security remains an unresolved challenge for many organizations.
Large codebases, especially those containing legacy code, are harder to secure because they were not developed using modern secure coding practices. Applying a patch can sometimes cause unintended side effects if the original flaw isn't fully addressed, said Thomas Richards, infrastructure security practice director at Black Duck.
Older versions of SharePoint, which are designed for internal use, become vulnerable when exposed to the internet. This makes cybersecurity fundamentals more important than ever, Richards added.
"All servers should have appropriate logging, monitoring, and endpoint protection software installed. These tools, if used and configured correctly, will identify and possibly stop an attack as it begins," Richards told Dice. "Professionals should also be aware of their external attack surface and ensure risks are considered when planning to expose internal tools to the internet."
Lesson 2: Create a Software Inventory
Knowing that SharePoint 2016 and other on-premise versions were primary targets, cybersecurity pros should initiate conversations about application inventory and end-of-life planning, said Trey Ford, CISO of Bugcrowd.
Questions to consider include:
What software is running on extended support?
What has reached or is nearing end-of-life?
Can the organization phase out outdated software?
What can be removed from the internet or shut down entirely?
"There are operational, technical debt, and security benefits in consolidating your software support base. The more consistent and simplified the environment, the more stable, reliable, and secure our platforms will be," Ford told Dice.
Lesson 3: Invest in Zero Trust Principles
This SharePoint exploit stemmed from an unpatched vulnerability allowing privilege escalation via JSON Web Token (JWT) spoofing or improper token validation, letting attackers impersonate privileged users.
This illustrates the post-perimeter threat model: attackers exploiting lateral movement, trusted app abuse, and post-authentication access.
Experts like Aamir Lakhani, global director of threat intelligence and AI at Fortinet, say it's time to make zero trust a security foundation.
"Zero trust, deception, and honeypots have often been deprioritized in favor of more conventional defenses but can no longer be optional. These strategies must be foundational to any security architecture," Lakhani said. "Applications like SharePoint should never trust identity claims without external validation. Defense teams must enforce identity revalidation, use conditional access policies, and aggressively segment services."
Lesson 4: Build a Culture of Security
Simberkoff emphasizes that a resilient security environment starts with well-trained employees and a culture of shared responsibility.
"Security isn't just a technical problem—it's a cultural one. Organizations impacted by this breach need to immediately minimize their attack surface by removing unused data and limiting access to sensitive content," she said. "They should implement zero-trust architectures that assume breach and verify every access request and use layered defense strategies combining native tools with third-party solutions for backup, compliance, and threat detection."
"With budget cuts reducing threat-intelligence teams by 65%, we're creating a perfect storm where sophisticated attacks meet diminished response capabilities."
These lessons from the ToolShell exploit are a call to action: better tools, deeper training, and smarter strategy are the best defense against today’s threats.