The ongoing ‘ToolShell’ cyberattack campaign against local Microsoft SharePoint servers is not just another security incident. It is a wake-up call for companies and public institutions that continue to rely on local IT environments – often with missed updates, no ongoing oversight and limited budgets for cyber protection. The consequences can be far more serious than just temporary disruption.
Weakness in local installations
In the ‘ToolShell’ attack, cybercriminals are exploiting two vulnerabilities – CVE-2025-53770 and CVE-2025-53771 – in local versions of SharePoint Server. The software, which for years has been regarded as a key link for digital collaboration in companies, has proven to be an easy target – if not properly secured. Significantly, the vulnerabilities do not affect the cloud version of SharePoint Online, which only widens the gap between those who have already migrated to SaaS environments and those who, for various reasons, continue to maintain their own infrastructure.
Microsoft has already issued emergency patches for the Subscription Edition and SharePoint Server 2019. However, users of the 2016 version are still waiting for an update – and it is this edition that is widely used in public institutions, schools and manufacturing companies. The problem therefore not only affects large corporations, but also the entire administrative and educational establishment, which does not always have a true cyber security department.
The scale of the problem is growing
According to independent researchers, the attacks have been ongoing since at least 17 July and are not geographically limited. Organisations in the US, Germany, France and Australia are most affected, but the scale of the attackers’ operations suggests that institutions around the world – including Poland – are vulnerable.
Most worryingly, government agencies and critical infrastructure management organisations, among others, have been the targets of attacks. Security experts recommend that any organisation with a local SharePoint exposed to the internet should make the default assumption: “we are already infected”.
These types of warnings do not occur often. In practice, this means not only installing available patches, but also conducting thorough investigative analyses, cutting off external access, rotating cryptographic keys and potentially rebuilding the environment. For many companies, this means stopping projects, involving external IR (incident response) teams and serious operational costs.
Why SharePoint?
SharePoint is not just a document repository. In many organisations, it integrates with Office, Teams, OneDrive and Outlook – effectively acting as the hub of all communication and data sharing. For an attacker, gaining unauthorised access to this system means access to a company’s most important operational information.
Additionally, the CVE-2025-53770 vulnerability allows remote code execution without authentication. In practice – a full takeover of the server, including data theft, creation of backdoors and exfiltration of cryptographic keys. For organisations, this means not only the risk of data leakage, but also potential blackmail, ransomware infection and a permanent erosion of customer trust.
A strategic issue, not just a technical one
For many businesses, the attack on SharePoint is a turning point. The years-long postponement of the decision to migrate to the cloud or upgrade local infrastructure has just shown its dark side. Companies that had previously invested in SaaS solutions were protected from this campaign almost by definition.
On the other hand, the public sector and large organisations with stringent compliance requirements still often maintain on-premise environments. The problem, however, is that many of these systems operate in so-called ‘set it and forget it’ mode. The lack of resources, trained administrators and IR procedures means that detection of an attack may only occur weeks later – if it is recorded at all.
What next?
Organisations that have not yet done so should do so without delay:
- Install available Microsoft patches (Subscription Edition, 2019),
- Disconnect local SharePoints from the internet until patches for the 2016 version are released,
- Verify logs, run forensic analyses and check for data exfiltration,
- Rotate cryptographic keys, tokens and access passwords,
- Carry out a full audit of the configuration and exposure of local environments.
In the long term, companies should also review their IT strategy. Maintaining local systems without an upgrade plan and the resources to secure them is as risky today as keeping cash in a safe with the lock removed. This is no longer just a topic for the IT department – it is a strategic issue that should reach the board’s desk.
