Microsoft SharePoint Under Attack: A Wake-Up Call for Legacy System Defenders

The last few weeks have been rough for Microsoft SharePoint users. A major security flaw turned into a real-life nightmare as attackers exploited a remote code execution (RCE) vulnerability—one that many didn’t see coming, and some are still struggling to recover from.

It all started mid-July, when cybersecurity researchers at Eye Security—based in The Hague—sounded the alarm. They tracked four aggressive waves of attacks from July 17 to 19, with more attacks following closely behind on July 21. It quickly became clear: this wasn’t just a blip. It was a full-on assault.

Although Microsoft issued a patch, it seems the fix didn’t come fast enough—or wasn’t strong enough. At least 400 systems were compromised, and over 8,000 were still vulnerable when this was written. For many IT teams, it’s been a sleepless few weeks.

This incident isn’t just about one exploit. It sheds light on deeper issues around legacy infrastructure, patching delays, and the fatigue that comes with constantly chasing the next vulnerability.

Microsoft SharePoint Under Attack: A Wake-Up Call for Legacy System Defenders

Key Takeaways:

A widespread attack on Microsoft SharePoint hit in July 2025, exploiting a serious RCE flaw and affecting hundreds of systems—while thousands more remain exposed.

The exploit bypassed Microsoft’s July patch, raising concerns about the effectiveness of the initial fix.

A China-based threat actor known as Storm-2603 has been linked to the attack, using it to steal login credentials and launch ransomware.

The breach exposes the fragility of on-premise legacy systems, where updates often rely on manual intervention.

Many IT teams are overwhelmed by "patch fatigue", and the complexity of legacy systems makes updates risky and time-consuming.

Experts say the solution lies in automation, embracing zero-trust architecture, and staying ahead with real-time threat monitoring.

The Breach That Nearly Went Unnoticed

On July 19, 2025, Microsoft confirmed something no security team ever wants to hear—an active exploitation campaign was already in motion, targeting a serious flaw in SharePoint on-premises servers.

The vulnerability had been partly patched on July 8, but something slipped through the cracks. Not long after, attackers found a way to exploit what was left open.

Researchers at Code White were the first to reproduce the full exploit chain. They gave it a name that’s now burned into every blue team’s brain—"ToolShell." This wasn’t just another bug; it was a cleverly chained remote code execution vulnerability that allowed attackers to execute commands on servers—without anyone noticing at first.

Microsoft published an advisory soon after, admitting what many feared:

“We’re aware of active attacks targeting on-premises SharePoint Server customers, using vulnerabilities not fully covered in our recent security update.”

The bugs were later given official names:

CVE‑2025‑53770 – Remote Code Execution

CVE‑2025‑53771 – Spoofing vulnerability

Both flaws were tied to older CVEs that, in hindsight, weren’t fully locked down. The door was left half-open—and someone walked right in.

At first, whispers circulated about this being a zero-day. But a well-respected ethical hacker and AppSec expert on X (formerly Twitter) shut that theory down, calling it instead a true "N-Day"—a known vulnerability that hadn’t been patched properly.

That didn’t stop the fallout. Even high-value U.S. institutions like the Department of Energy and the National Nuclear Security Administration were caught in the blast radius.

How They Got In

The attackers gained initial access by sending a POST request to a SharePoint endpoint called ToolPane using a nasty little payload called spinstall0.aspx. This script did more than raise eyebrows—it quietly pulled MachineKey data and returned it via GET requests. That data gave attackers the keys to the kingdom.

POST request to ToolPane endpoint. Source: Microsoft

Microsoft later identified the culprit as Storm-2603, a threat group with ties to China. Their tactics weren’t just clever—they were methodical and chilling.

From Stealth to Ransomware

The breach began like a ghost slipping through digital walls—quiet, calculated, invisible at first. Once in, Storm-2603 used spinstall0.aspx to plant their flag. From there, they:

Set up scheduled tasks
Injected malicious IIS components
Loaded suspicious .NET assemblies

Their goal was persistence. And they got it.

Then came the next phase—credential theft. They used Mimikatz to scrape LSASS memory and pull plain-text credentials. After that, they moved laterally through networks with PsExec and Impacket. It wasn’t long before they used Group Policy Objects (GPOs) to deploy the final blow: Warlock ransomware.

At that point, it was clear—this wasn’t just a breach. It was a full-scale ransomware operation with chilling precision.

What This Means for Us

This incident is a brutal reminder that partial patches aren't protection. It’s easy to fall into the trap of thinking “mostly fixed” is good enough—but in cybersecurity, “mostly” can be deadly.

For us in the field—especially those of us who manage infrastructure, patching pipelines, and incident response—it’s a wake-up call. The bad actors are watching, waiting, and more patient than ever.

Let’s not give them that sliver of opportunity again.

Why Updates Keep Falling Behind

Let’s be honest—keeping up with security updates feels like trying to drink from a firehose. Many IT teams are buried under a constant stream of patches across different platforms. It’s exhausting. This is what's known as patch fatigue, and it's very real.

The 2024 Ponemon Institute Cyber Risk Metrics Report paints a concerning picture: 87% of CISOs and CSOs say they don’t have a clear handle on defining risk metrics. Even worse, many of them point to unpatched vulnerabilities as one of their biggest headaches.

So, what happens in the real world? Patches get delayed. Other urgent tasks take priority. The team is overwhelmed. And that’s all it takes—a window of opportunity for attackers to slip through the cracks.

What ToolShell Tells Us About a Broken Security Model

The ToolShell exploit, which hit Microsoft SharePoint, was a wake-up call. It exposed just how fragile and outdated many on-premise systems really are.

Take SharePoint 2019, for example. It’s headed for retirement in 2026, and many organizations have already mentally moved on. Unless a patch is marked critical, it often doesn’t get the attention it deserves—until it’s too late.

And here’s the kicker: SharePoint 2016 and 2019 aren’t plug-and-play environments. They’re tangled up in custom workflows, legacy tools, and brittle codebases. A single patch can feel like defusing a bomb. You don’t just apply it—you test, validate, and cross your fingers. That could take days… or even weeks. Sometimes, the patch doesn’t happen at all.

Unlike SharePoint Online, which updates quietly in the background, on-prem setups are manual—and messy. Admins have to hunt down the patch, test it across various hardware and configurations, and pray it doesn’t break anything in production.

This complexity creates the perfect storm: long delays, overlooked patches, and ultimately, security gaps. And even when patches do get applied, they’re not always enough.

In the recent ToolShell attack, Microsoft had already released fixes for CVE-2025-49704 and CVE-2025-49706. But attackers still found a way around them. That’s a gut punch for teams doing their best with limited resources.

The Bottom Line

The ToolShell breach proves something that many in IT already feel in their gut: patching alone isn’t enough—especially when you're stuck maintaining aging, manual infrastructure.

On-premise systems, no matter how carefully managed, are becoming liabilities. They're slow to patch, hard to secure, and easy to exploit. And the reality is, some fixes just don’t go far enough.

Looking ahead, security resilience won’t come from patching faster—it’ll come from rethinking the model entirely. That means embracing zero-trust principles, automating updates, monitoring vulnerabilities from start to finish, and actively hunting for threats.

The harsh truth? If enterprises don’t modernize their approach, they’ll remain sitting ducks for the next ToolShell-style attack. The time for passive defense is over.