If your business still runs SharePoint on a local server, now is a very good time to pay attention. Microsoft recently disclosed two critical vulnerabilities affecting on-premises SharePoint Servers — and yes, attackers are already taking advantage of them. (PC Gamer)
While cloud-based users are in the clear, companies hosting SharePoint on their own infrastructure may unknowingly be exposed. Here’s what’s going on, what it means for you, and how to tell if you’re at risk.
Two newly discovered flaws — officially known as CVE-2025-53770 and CVE-2025-53771 — open the door for attackers to run malicious code on local SharePoint servers and impersonate legitimate users. On their own, these vulnerabilities are serious. But when chained together with older SharePoint flaws, they become part of a more advanced exploit sequence called ToolShell — a name you’ll likely hear a lot more in security circles over the coming weeks.(SecurityWeek)
What makes this so pressing is that attackers aren’t waiting. Reports from security researchers and Microsoft indicate that active exploitation began as early as July 18, targeting banks, universities, and even government agencies. Once inside, attackers have stolen sensitive data, planted backdoors, and in some cases, extracted cryptographic keys — giving them long-term access and control.
This isn’t a theoretical risk. It’s real, it’s happening now, and it’s caught the attention of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which officially flagged it as a known exploited vulnerability.(Cyber Security News)
Let’s clear this up: if your organization uses SharePoint Online as part of Microsoft 365, you’re not affected by this. The threat only applies to companies running on-premises versions of SharePoint — namely, SharePoint 2019 and SharePoint Subscription Edition, hosted and managed on internal servers. (IT Pro)
And if you're not entirely sure what type of SharePoint your organization is using, that’s not uncommon. Many businesses have inherited legacy systems or haven't looked under the hood in years. This is exactly the kind of moment when knowing your setup matters.
Microsoft has already released patches to address the vulnerabilities — but applying those patches is just the beginning. Proper remediation involves several technical steps: rotating encryption keys, restarting server processes, checking for indicators of compromise, and ensuring that detection systems are in place to flag any suspicious behavior. It's not just a “click and forget” update. (Tom's Guide)
This level of response may feel overwhelming, especially if you don’t have a dedicated security team or if SharePoint hasn’t been top-of-mind in a while. The good news? If you're already working with Four Winds IT, you’re probably not affected — none of our current clients are using on-premises SharePoint.
Still, we’re sharing this because cybersecurity is everyone’s responsibility — and knowledge is the first step in protection.
SharePoint doesn’t live in a vacuum. It’s deeply woven into Microsoft’s ecosystem — touching files in OneDrive, conversations in Teams, and tasks in Outlook. A breach in one part of the system can often give attackers a front-row seat to the rest.(The Hacker News) That’s what makes ToolShell so concerning: it doesn’t just unlock one door, it gives someone the master key. (The Wall Street Journal)
For businesses still hosting SharePoint on-site, this is a moment to pause, assess, and ask the right questions. Are we patched? Are we monitoring for unusual activity? Are we sure this system is still worth the risk of maintaining in-house?
This isn’t about panic. It’s about perspective. As threats evolve, so should the way we think about our systems. If you’re not sure whether this applies to your business — or if you suspect your infrastructure might have some blind spots — we’re here to help you make sense of it.
Just give us a call 941-315-2380.