For cybersecurity and technology professionals monitoring the threat landscape, the July and now August alerts regarding the disclosure of a significant Microsoft SharePoint vulnerability chain are a wake-up call about how quickly security flaws can disrupt an organization.
Dubbed ToolShell, this exploit chain is specifically tied to older, on-premise versions of SharePoint – including Subscription Edition, 2019 and 2016 – but not to cloud-based versions of the application, such as SharePoint Online as part of the Microsoft 365 suite, according to information published by the software giant.
After information about the exploit chain began surfacing in early July, Microsoft rushed out fixes for various vulnerabilities. Those patches included one to address CVE-2025-53770, a remote code execution vulnerability related to two other bugs: CVE-2025-49704 and CVE-2025-53771.
CVE-2025-53771 is also a bypass for the fix issued for the previously disclosed server spoofing vulnerability CVE-2025-49706 – further complicating the situation.
Cybersecurity firm Wiz published a detailed blog describing how attackers can exploit the attack chain to target various vulnerable organizations. Microsoft and others also warned that even after applying the fixes, security teams should reset cryptographic keys to ensure that threat actors, once ejected, cannot return.
While Microsoft pushed out the patches for ToolShell, threat groups had already begun exploiting the vulnerabilities as zero-day attacks. The company traced some of the early malicious activity to two nation-state groups based in China – Linen Typhoon and Violet Typhoon – as well as another malicious group called Storm-2603.
Researchers believe that about 150 organizations worldwide were compromised, and even as of late July and early August, data showed that ransomware gangs and other groups continue to exploit the ToolShell vulnerability.
“While the scope and impact continue to be assessed, the chain, publicly reported as ‘ToolShell,’ provides unauthenticated access to systems and authenticated access through network spoofing, respectively, and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network,” according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
For cybersecurity and tech professionals, keeping up with patching and threat assessments is essential, but experts noted that the scale of these attacks and the ability of cybercriminals and threat groups to take advantage of these SharePoint vulnerabilities indicate that more work needs to be done.
“Security teams should treat this as a wake‑up call to overhaul their data security and management practices – doubling down on zero‑trust policies, layering independent backup and threat‑detection tools on top of Microsoft’s stack, and keeping employees sharp through regular, customized security training – ensuring that security is a collective effort, not just an IT department's burden,” Dana Simberkoff, chief risk, privacy and information security officer at AvePoint, told Dice. “Only continuous monitoring of data assets – in addition to system assets – from the bottom up, ensures security. You need a top-down and bottom-up approach.”
The ToolShell exploit chain offers four lessons for cyber and tech pros to help ensure better security for their organizations – as well as a roadmap for what skills can help when faced with these types of threats that sophisticated attacks can readily exploit.
Summary
Lesson 1: Understand Cybersecurity Fundamentals
Software security remains an unresolved challenge for many organizations.
Large codebases, especially those containing legacy code, are harder to secure because they were not developed using modern secure coding practices. Applying a patch can sometimes cause unintended side effects if the original flaw isn't fully addressed, said Thomas Richards, infrastructure security practice director at Black Duck.
Older versions of SharePoint, which are designed for internal use, become vulnerable when exposed to the internet. This makes cybersecurity fundamentals more important than ever, Richards added.
"All servers should have appropriate logging, monitoring, and endpoint protection software installed. These tools, if used and configured correctly, will identify and possibly stop an attack as it begins," Richards told Dice. "Professionals should also be aware of their external attack surface and ensure risks are considered when planning to expose internal tools to the internet."
Lesson 2: Create a Software Inventory
Knowing that SharePoint 2016 and other on-premise versions were primary targets, cybersecurity pros should initiate conversations about application inventory and end-of-life planning, said Trey Ford, CISO of Bugcrowd.
Questions to consider include:
What software is running on extended support?
What has reached or is nearing end-of-life?
Can the organization phase out outdated software?
What can be removed from the internet or shut down entirely?
"There are operational, technical debt, and security benefits in consolidating your software support base. The more consistent and simplified the environment, the more stable, reliable, and secure our platforms will be," Ford told Dice.
Lesson 3: Invest in Zero Trust Principles
This SharePoint exploit stemmed from an unpatched vulnerability allowing privilege escalation via JSON Web Token (JWT) spoofing or improper token validation, letting attackers impersonate privileged users.
This illustrates the post-perimeter threat model: attackers exploiting lateral movement, trusted app abuse, and post-authentication access.
Experts like Aamir Lakhani, global director of threat intelligence and AI at Fortinet, say it's time to make zero trust a security foundation.
"Zero trust, deception, and honeypots have often been deprioritized in favor of more conventional defenses but can no longer be optional. These strategies must be foundational to any security architecture," Lakhani said. "Applications like SharePoint should never trust identity claims without external validation. Defense teams must enforce identity revalidation, use conditional access policies, and aggressively segment services."
Lesson 4: Build a Culture of Security
Simberkoff emphasizes that a resilient security environment starts with well-trained employees and a culture of shared responsibility.
"Security isn't just a technical problem—it's a cultural one. Organizations impacted by this breach need to immediately minimize their attack surface by removing unused data and limiting access to sensitive content," she said. "They should implement zero-trust architectures that assume breach and verify every access request and use layered defense strategies combining native tools with third-party solutions for backup, compliance, and threat detection."
"With budget cuts reducing threat-intelligence teams by 65%, we're creating a perfect storm where sophisticated attacks meet diminished response capabilities."
These lessons from the ToolShell exploit are a call to action: better tools, deeper training, and smarter strategy are the best defense against today’s threats.